[syslog-ng] [Bug 91] New: Cisco ASA log parsing issues

Rory Toma rory at ooma.com
Thu Jul 1 02:53:32 CEST 2010


Is there a setting to use the new syslog format RFC? I wonder if that 
could be creating issues?

On 6/30/10 5:49 PM, bugzilla at bugzilla.balabit.com wrote:
> https://bugzilla.balabit.com/show_bug.cgi?id=91
>
>             Summary: Cisco ASA log parsing issues
>             Product: syslog-ng
>             Version: 3.1.x
>            Platform: PC
>          OS/Version: Linux
>              Status: NEW
>            Severity: normal
>            Priority: unspecified
>           Component: syslog-ng
>          AssignedTo: bazsi at balabit.hu
>          ReportedBy: jon at jonjames.net
> Type of the Report: bug
>     Estimated Hours: 0.0
>
>
> Orignal LOG as seen my TCPDUMP
>
> 16:42:08.734684 IP 172.16.32.157.syslog>  172.16.32.172.syslog: SYSLOG local4.notice, length: 95
> E..{.......^.. ... ......g<.<165>Jul 01 2010 00:32:59: %ASA-5-111001: Begin configuration: 172.16.16.154 writing to memory
>
>
> After being relayed as seen my TCPDUMP
>
> 16:42:59.208826 IP 172.16.32.172.33753>  172.16.32.225.syslog: SYSLOG local4.notice, length: 120
> E...a. at .@.?... ... ........?<165>1 2010-07-01T00:33:50-04:00 172.16.32.157 %ASA-5-111001 - - - Begin configuration: 172.16.16.154 writing to memory
>
>
> As you can see, syslog-ng appears to be messing with the datestamp and therefore the RSA envision device I'm relaying to does not recognize the log as being
> from a cisco asa.
>
>
> Is there a way to update the log parser in syslog to resolve this issue ?
>
>
>
> syslog-ng.conf (parts)
>
>
> @version: 3.0
>
> options {
> time_sleep(30);
> time_reap(30);
> mark_freq(30);
> dns_cache(yes);
> use_fqdn(no);
> keep_hostname(yes);
> chain_hostnames(no);
> use_dns(no);
> dns_cache_size(250000);
> dns_cache_expire(300);
> dns_cache_expire_failed(300);
> stats_freq(3600);
> log_msg_size(10000);
> };
>
>
> source s_extranet {
>                  udp(ip("172.16.32.172") port(514));
> };
>
> log {
> source(s_extranet);
> destination(d_syslog_udp);
> };
>
> destination d_syslog_udp {
>                                  syslog("172.16.32.225"
>                                  transport("udp") port(514));
>                          };
>
>
>    



More information about the syslog-ng mailing list