[syslog-ng] syslog-ng is not reading level/facility properly
Matthew Hall
mhall at mhcomputing.net
Thu Sep 9 00:16:46 CEST 2010
A second possibility on top of the items Jerry pointed out such as
possibly using wrong facilities on the sources, etc.
I see you have set the no_parse flag on your syslog socket.
This instructs Syslog that your messages are non standard or should be
handled in a raw fashion. This causes Syslog to be incapable of
determining facility, severity, hostname, and tag information. Since it
appears nginx is sending properly made messages this is likely not what
you want.
In order to confirm you should take a tcpdump with -s 0 to capture
entire frames, and load this in Wireshark or tshark with -V option to
look at the payload of the Syslog packets and compare it against what's
written in these RFCs and documents:
http://www.ietf.org/rfc/rfc3164.txt
http://www.ietf.org/rfc/rfc5424.txt
http://www.monitorware.com/common/en/articles/syslog-described.php
http://www.networksorcery.com/enp/protocol/syslog.htm
There are many more. You need to be sure you are handling the things you
are receiving appropriately for the format which is being sent to you.
If you have some messages which should be parsed and some which should
not, these should be sent onto separate ports so you can have the right
flags set on each port.
HTH,
Matthew.
On Wed, Sep 08, 2010 at 06:03:33PM -0400, Jerry Bell wrote:
> On 9/8/2010 5:31 PM, Charlie Reddington wrote:
> > # External Syslog
> > source s_external {
> > udp(ip("0.0.0.0") port(514) flags(no_parse));
> > };
More information about the syslog-ng
mailing list