[syslog-ng] syslog-ng is not reading level/facility properly

Matthew Hall mhall at mhcomputing.net
Thu Sep 9 00:16:46 CEST 2010


A second possibility on top of the items Jerry pointed out such as 
possibly using wrong facilities on the sources, etc.

I see you have set the no_parse flag on your syslog socket.

This instructs Syslog that your messages are non standard or should be 
handled in a raw fashion. This causes Syslog to be incapable of 
determining facility, severity, hostname, and tag information. Since it 
appears nginx is sending properly made messages this is likely not what 
you want.

In order to confirm you should take a tcpdump with -s 0 to capture 
entire frames, and load this in Wireshark or tshark with -V option to 
look at the payload of the Syslog packets and compare it against what's 
written in these RFCs and documents:

http://www.ietf.org/rfc/rfc3164.txt
http://www.ietf.org/rfc/rfc5424.txt
http://www.monitorware.com/common/en/articles/syslog-described.php
http://www.networksorcery.com/enp/protocol/syslog.htm

There are many more. You need to be sure you are handling the things you 
are receiving appropriately for the format which is being sent to you.

If you have some messages which should be parsed and some which should 
not, these should be sent onto separate ports so you can have the right 
flags set on each port.

HTH,
Matthew.

On Wed, Sep 08, 2010 at 06:03:33PM -0400, Jerry Bell wrote:
> On 9/8/2010 5:31 PM, Charlie Reddington wrote:
> > # External Syslog
> > source s_external {
> > 	udp(ip("0.0.0.0") port(514) flags(no_parse));
> > };


More information about the syslog-ng mailing list