[syslog-ng] 3.0.5 & Cisco TCP problems

Zoltán Pallagi pzolee at balabit.hu
Fri Mar 26 10:24:42 CET 2010 

Hi,

d lists wrote:
> On Thu, Mar 25, 2010 at 6:59 PM, Patrick H. <syslogng at feystorm.net> wrote:
>   
>> Try adding the 'no-parse' flag to the source. Syslog-ng tries to parse out
>> the headers of the message (like date/time, host, facility, etc), and if it
>> cant figure out the format of the headers, it drops the message. The
>> no-parse causes the entire message (headers and all if they exist) to get
>> shoved into the message contents, and it generates new default headers.
>>
>> So
>> source t_net { tcp(ip(X.X.X.5) port(2002) keep-alive(yes) ); };
>> will become
>> source t_net { tcp(ip(X.X.X.5) port(2002) keep-alive(yes)
>> flags('no-parse')); };
>>     
>
> Tried that, no change.  I've discovered what I think the problem is
> though:  The cisco isn't including a LF at the end of each syslog
> message.  
reducing the flush_timeout() may solve it (but it is just my idea).
> If I force the router to send enough messages, a buffer must
> fill up & I get all the messages at once in a very unreadable format:
>
> Mar 25 20:28:20 10.240.0.254 <189>461: *Mar 26 02:45:22.244:
> %SYS-5-CONFIG_I: Configured from console by console<190>462: *Mar 26
> 02:45:28.244: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 10.240.0.5
> port 2002 started - reconnection<189>463: *Mar 26 02:45:35.336:
> %SYS-5-CONFIG_I: Configured from console by console<189>464: *Mar 26
> 02:45:35.352: %SYS-5-CONFIG_I: Configured from console by
> console<189>465: *Mar 26 02:45:35.372: %SYS-5-CONFIG_I: Configured
> from console by console<189>...(repeat another 50 times at least)
>   

At the moment, this kind of CISCO log's format is not supported by 
syslog-ng, because it's not syslog format (here is a sequence number 
instead of date). However, we are planning to solve it soon (perhaps in 
v3.2).

Until then, I recommend that you should turn off using the 
sequence-number on CISCO router. You can do it with the following 
command: "no service sequence-numbers" (to turn on: "service 
sequence-numbers").


> I found a thread for another piece of syslog software that encountered
> the same issue:
>
> http://www.gossamer-threads.com/lists/rsyslog/users/1204
>
> I take it from the lack of people noticing this that there aren't too
> many people using TCP to gather syslog from Cisco routers.  If anyone
> has some suggestions on possible solutions (outside of opening a TAC
> case with cisco - which I plan on doing), I am all ears.
>
> Thanks for the quick response!  Time to read some more documentation.
>
>   
>> If the message does actually have headers, just syslog-ng cant understand
>> them, you can use rewrite rules and 'set' statements to parse out the
>> headers and set them manually.
>>
>>
>> Sent: Thursday, March 25, 2010 5:31:15 PM
>> From: d lists <dlists95 at gmail.com>
>> To: syslog-ng at lists.balabit.hu
>> Subject: [syslog-ng] 3.0.5 & Cisco TCP problems
>>
>> Hello,
>>
>> After spending the afternoon trying to get this working, I've decided
>> to reach out for some help (tried google - no luck!).
>>
>>     
> <snip>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>   


-- 
pzolee

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100326/58d9d4a8/attachment.htm

More information about the syslog-ng mailing list