[syslog-ng] 3.0.5 & Cisco TCP problems

Patrick H. syslogng at feystorm.net
Fri Mar 26 03:39:21 CET 2010 

Can the cisco use UDP? If so syslog-ng might consider each packet to be 
a complete message (since its connectionless) and flush it out. Try 
turning the keep-alive off as well. If the cisco is trying to close the 
connection after each message, that could also force it to flush.
Just guesses at this point though.

Sent: Thursday, March 25, 2010 8:31:54 PM
From: d lists <dlists95 at gmail.com>
To: Syslog-ng users' and developers' mailing list 
<syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] 3.0.5 & Cisco TCP problems
> On Thu, Mar 25, 2010 at 6:59 PM, Patrick H. <syslogng at feystorm.net> wrote:
>   
>> Try adding the 'no-parse' flag to the source. Syslog-ng tries to parse out
>> the headers of the message (like date/time, host, facility, etc), and if it
>> cant figure out the format of the headers, it drops the message. The
>> no-parse causes the entire message (headers and all if they exist) to get
>> shoved into the message contents, and it generates new default headers.
>>
>> So
>> source t_net { tcp(ip(X.X.X.5) port(2002) keep-alive(yes) ); };
>> will become
>> source t_net { tcp(ip(X.X.X.5) port(2002) keep-alive(yes)
>> flags('no-parse')); };
>>     
>
> Tried that, no change.  I've discovered what I think the problem is
> though:  The cisco isn't including a LF at the end of each syslog
> message.  If I force the router to send enough messages, a buffer must
> fill up & I get all the messages at once in a very unreadable format:
>
> Mar 25 20:28:20 10.240.0.254 <189>461: *Mar 26 02:45:22.244:
> %SYS-5-CONFIG_I: Configured from console by console<190>462: *Mar 26
> 02:45:28.244: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 10.240.0.5
> port 2002 started - reconnection<189>463: *Mar 26 02:45:35.336:
> %SYS-5-CONFIG_I: Configured from console by console<189>464: *Mar 26
> 02:45:35.352: %SYS-5-CONFIG_I: Configured from console by
> console<189>465: *Mar 26 02:45:35.372: %SYS-5-CONFIG_I: Configured
> from console by console<189>...(repeat another 50 times at least)
>
> I found a thread for another piece of syslog software that encountered
> the same issue:
>
> http://www.gossamer-threads.com/lists/rsyslog/users/1204
>
> I take it from the lack of people noticing this that there aren't too
> many people using TCP to gather syslog from Cisco routers.  If anyone
> has some suggestions on possible solutions (outside of opening a TAC
> case with cisco - which I plan on doing), I am all ears.
>
> Thanks for the quick response!  Time to read some more documentation.
>
>   
>> If the message does actually have headers, just syslog-ng cant understand
>> them, you can use rewrite rules and 'set' statements to parse out the
>> headers and set them manually.
>>
>>
>> Sent: Thursday, March 25, 2010 5:31:15 PM
>> From: d lists <dlists95 at gmail.com>
>> To: syslog-ng at lists.balabit.hu
>> Subject: [syslog-ng] 3.0.5 & Cisco TCP problems
>>
>> Hello,
>>
>> After spending the afternoon trying to get this working, I've decided
>> to reach out for some help (tried google - no luck!).
>>
>>     
> <snip>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100325/a7079e9a/attachment-0001.htm

More information about the syslog-ng mailing list