[syslog-ng] [Bug 91] New: Cisco ASA log parsing issues
bugzilla at bugzilla.balabit.com
bugzilla at bugzilla.balabit.com
Thu Jul 1 02:49:50 CEST 2010
https://bugzilla.balabit.com/show_bug.cgi?id=91
Summary: Cisco ASA log parsing issues
Product: syslog-ng
Version: 3.1.x
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: unspecified
Component: syslog-ng
AssignedTo: bazsi at balabit.hu
ReportedBy: jon at jonjames.net
Type of the Report: bug
Estimated Hours: 0.0
Orignal LOG as seen my TCPDUMP
16:42:08.734684 IP 172.16.32.157.syslog > 172.16.32.172.syslog: SYSLOG local4.notice, length: 95
E..{.......^.. ... ......g<.<165>Jul 01 2010 00:32:59: %ASA-5-111001: Begin configuration: 172.16.16.154 writing to memory
After being relayed as seen my TCPDUMP
16:42:59.208826 IP 172.16.32.172.33753 > 172.16.32.225.syslog: SYSLOG local4.notice, length: 120
E...a. at .@.?... ... ........?<165>1 2010-07-01T00:33:50-04:00 172.16.32.157 %ASA-5-111001 - - - Begin configuration: 172.16.16.154 writing to memory
As you can see, syslog-ng appears to be messing with the datestamp and therefore the RSA envision device I'm relaying to does not recognize the log as being
from a cisco asa.
Is there a way to update the log parser in syslog to resolve this issue ?
syslog-ng.conf (parts)
@version: 3.0
options {
time_sleep(30);
time_reap(30);
mark_freq(30);
dns_cache(yes);
use_fqdn(no);
keep_hostname(yes);
chain_hostnames(no);
use_dns(no);
dns_cache_size(250000);
dns_cache_expire(300);
dns_cache_expire_failed(300);
stats_freq(3600);
log_msg_size(10000);
};
source s_extranet {
udp(ip("172.16.32.172") port(514));
};
log {
source(s_extranet);
destination(d_syslog_udp);
};
destination d_syslog_udp {
syslog("172.16.32.225"
transport("udp") port(514));
};
--
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the syslog-ng
mailing list