[syslog-ng] 3.0.5 & Cisco TCP problems

Fri Mar 26 01:59:28 CET 2010

Try adding the 'no-parse' flag to the source. Syslog-ng tries to parse 
out the headers of the message (like date/time, host, facility, etc), 
and if it cant figure out the format of the headers, it drops the 
message. The no-parse causes the entire message (headers and all if they 
exist) to get shoved into the message contents, and it generates new 
default headers.

So
source t_net { tcp(ip(X.X.X.5) port(2002) keep-alive(yes) ); };
will become
source t_net { tcp(ip(X.X.X.5) port(2002) keep-alive(yes) 
flags('no-parse')); };

If the message does actually have headers, just syslog-ng cant 
understand them, you can use rewrite rules and 'set' statements to parse 
out the headers and set them manually.

Sent: Thursday, March 25, 2010 5:31:15 PM
From: d lists <dlists95 at gmail.com>
To: syslog-ng at lists.balabit.hu
Subject: [syslog-ng] 3.0.5 & Cisco TCP problems
> Hello,
>
> After spending the afternoon trying to get this working, I've decided
> to reach out for some help (tried google - no luck!).
>
> I have what I believe is a very simple syslog-ng configuration where I
> am trying to capture syslog events from Cisco routers via TCP.  I
> first tested via UDP, and all works good.  The router establishes a
> TCP connection with my syslog-ng (viewable via netstat -nap, and in
> the /var/log/messages):
>
> Mar 25 17:07:53 logger syslog-ng[8943]: Syslog connection accepted;
> fd='11', client='AF_INET(X.X.X.254:56868)',
> local='AF_INET(X.X.X.5:2002)'
>
> On the router I do a "config term" & "exit" to generate a log.
> tcpdump on the syslog-ng machine shows traffic as expected:
>
> 17:18:44.891080 IP X.X.X.254.61241 > 10.240.0.5.2002: .
> 3679441367:3679441450(83) ack 1811354960 win 4128
> 17:18:44.891134 IP X.X.X.5.2002> 10.240.0.254.61241: . ack 83 win 5840
>
> And a strace:
>
> poll([{fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3,
> events=POLLIN}, {fd=8, events=POLLIN}], 4, 456650) = 1 ([{fd=8,
> revents=POLLIN}])
> gettimeofday({1269559238, 85688}, NULL) = 0
> read(8, "<189>145: *Mar 25 23:41:37.033: "..., 7739) = 83
> read(8, 0x9f94618, 7656)                = -1 EAGAIN (Resource
> temporarily unavailable)
> gettimeofday({1269559238, 86032}, NULL) = 0
> poll([{fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3,
> events=POLLIN}, {fd=8, events=POLLIN}], 4, 449113
>
> But nothing ever shows up in the log files!  Here's my syslog-ng.conf.
>  Any pointers or ideas?
>
> @version: 3.0
> options {
> use_dns(no);
> };
> source t_net { tcp(ip(X.X.X.5) port(2002) keep-alive(yes) ); };
> source s_local { internal(); unix-stream("/dev/log");
> file("/proc/kmsg" program_override("kernel: ")); };
> destination d_messages { file("/var/log/messages"); };
> destination d_cisco { file("/var/log/cisco.log"); };
> log { source(t_net); destination(d_messages); };
> log { source(s_local); destination(d_messages); };
>
> And for what it is worth the relevant lines from my test cisco:
>
> logging host X.X.X.5 transport tcp port 2002
>
> And syslog-ng version:
>
> syslog-ng 3.0.5
> Installer-Version: 3.0.5
> Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#f2fd7457627a88eb9602a73a5c16cd8b2434b667
> Compile-Date: Dec  7 2009 14:52:42
> Enable-Threads: on
> Enable-Debug: off
> Enable-GProf: off
> Enable-Memtrace: off
> Enable-Sun-STREAMS: off
> Enable-Sun-Door: off
> Enable-IPv6: on
> Enable-Spoof-Source: on
> Enable-TCP-Wrapper: off
> Enable-SSL: on
> Enable-SQL: on
> Enable-Linux-Caps: on
> Enable-Pcre: off
>
> Thanks in advance!
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100325/6c39a2e1/attachment.htm 