[syslog-ng] [Bug 91] New: Cisco ASA log parsing issues
Rory Toma
rory at ooma.com
Thu Jul 1 02:53:32 CEST 2010
Is there a setting to use the new syslog format RFC? I wonder if that
could be creating issues?
On 6/30/10 5:49 PM, bugzilla at bugzilla.balabit.com wrote:
> https://bugzilla.balabit.com/show_bug.cgi?id=91
>
> Summary: Cisco ASA log parsing issues
> Product: syslog-ng
> Version: 3.1.x
> Platform: PC
> OS/Version: Linux
> Status: NEW
> Severity: normal
> Priority: unspecified
> Component: syslog-ng
> AssignedTo: bazsi at balabit.hu
> ReportedBy: jon at jonjames.net
> Type of the Report: bug
> Estimated Hours: 0.0
>
>
> Orignal LOG as seen my TCPDUMP
>
> 16:42:08.734684 IP 172.16.32.157.syslog> 172.16.32.172.syslog: SYSLOG local4.notice, length: 95
> E..{.......^.. ... ......g<.<165>Jul 01 2010 00:32:59: %ASA-5-111001: Begin configuration: 172.16.16.154 writing to memory
>
>
> After being relayed as seen my TCPDUMP
>
> 16:42:59.208826 IP 172.16.32.172.33753> 172.16.32.225.syslog: SYSLOG local4.notice, length: 120
> E...a. at .@.?... ... ........?<165>1 2010-07-01T00:33:50-04:00 172.16.32.157 %ASA-5-111001 - - - Begin configuration: 172.16.16.154 writing to memory
>
>
> As you can see, syslog-ng appears to be messing with the datestamp and therefore the RSA envision device I'm relaying to does not recognize the log as being
> from a cisco asa.
>
>
> Is there a way to update the log parser in syslog to resolve this issue ?
>
>
>
> syslog-ng.conf (parts)
>
>
> @version: 3.0
>
> options {
> time_sleep(30);
> time_reap(30);
> mark_freq(30);
> dns_cache(yes);
> use_fqdn(no);
> keep_hostname(yes);
> chain_hostnames(no);
> use_dns(no);
> dns_cache_size(250000);
> dns_cache_expire(300);
> dns_cache_expire_failed(300);
> stats_freq(3600);
> log_msg_size(10000);
> };
>
>
> source s_extranet {
> udp(ip("172.16.32.172") port(514));
> };
>
> log {
> source(s_extranet);
> destination(d_syslog_udp);
> };
>
> destination d_syslog_udp {
> syslog("172.16.32.225"
> transport("udp") port(514));
> };
>
>
>
More information about the syslog-ng
mailing list