[syslog-ng] [Bug 91] New: Cisco ASA log parsing issues

Thu Jul 1 03:15:46 CEST 2010

I doubt this is classified as a bug. If you simply need help, the 
mailing list is more appropriate.
Anyway, doing
destination d_whatever {
    tcp('172.16.32.225' template("<$PRI>$MONTH_ABBREV $DAY $YEAR 
$HOUR:$MIN:$SEC: $MSGHDR $MSGONLY"));
};
might get you what you want.

Sent: Wednesday, June 30, 2010 6:49:50 PM
From: bugzilla at bugzilla.balabit.com
To: syslog-ng at lists.balabit.hu
Subject: [syslog-ng] [Bug 91] New: Cisco ASA log parsing issues
> https://bugzilla.balabit.com/show_bug.cgi?id=91
>
>            Summary: Cisco ASA log parsing issues
>            Product: syslog-ng
>            Version: 3.1.x
>           Platform: PC
>         OS/Version: Linux
>             Status: NEW
>           Severity: normal
>           Priority: unspecified
>          Component: syslog-ng
>         AssignedTo: bazsi at balabit.hu
>         ReportedBy: jon at jonjames.net
> Type of the Report: bug
>    Estimated Hours: 0.0
>
>
> Orignal LOG as seen my TCPDUMP
>
> 16:42:08.734684 IP 172.16.32.157.syslog > 172.16.32.172.syslog: SYSLOG local4.notice, length: 95
> E..{.......^.. ... ......g<.<165>Jul 01 2010 00:32:59: %ASA-5-111001: Begin configuration: 172.16.16.154 writing to memory
>
>
> After being relayed as seen my TCPDUMP
>
> 16:42:59.208826 IP 172.16.32.172.33753 > 172.16.32.225.syslog: SYSLOG local4.notice, length: 120
> E...a. at .@.?... ... ........?<165>1 2010-07-01T00:33:50-04:00 172.16.32.157 %ASA-5-111001 - - - Begin configuration: 172.16.16.154 writing to memory
>
>
> As you can see, syslog-ng appears to be messing with the datestamp and therefore the RSA envision device I'm relaying to does not recognize the log as being
> from a cisco asa.
>
>
> Is there a way to update the log parser in syslog to resolve this issue ?
>
>
>
> syslog-ng.conf (parts)
>
>
> @version: 3.0
>
> options {
> time_sleep(30);
> time_reap(30);
> mark_freq(30);
> dns_cache(yes);
> use_fqdn(no);
> keep_hostname(yes);
> chain_hostnames(no);
> use_dns(no);
> dns_cache_size(250000);
> dns_cache_expire(300);
> dns_cache_expire_failed(300);
> stats_freq(3600);
> log_msg_size(10000);
> };
>
>
> source s_extranet {
>                 udp(ip("172.16.32.172") port(514));
> };
>
> log {
> source(s_extranet);
> destination(d_syslog_udp);
> };
>
> destination d_syslog_udp {
>                                 syslog("172.16.32.225"
>                                 transport("udp") port(514));
>                         };
>
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100630/48f22a20/attachment.htm