[syslog-ng] syslog-ng 3.3.3 and multiple incarnations of the same parser

Fri Dec 2 16:33:15 CET 2011

-----BEGIN PGP SIGNED MESSAGE-----

Hi guys,

I ran into another problem with 3.3.3. It seems that I can use a cvs-parser only in one and only one log path. If I reuse it in multiple log paths the columns of the cvs parser are empty. I downgraded to 3.0.9 and that resolved my problem. Here is an example config:

- --------< SNIP >----------
source s_remote { udp () };

parser p_hostname_site {
  csv-parser (columns ("REMOTEHOST.SITE", "REMOTEHOST.NAME")
              delimiters ("-")
              template ("${HOST}"));
};

filter f_local0    { facility (local0); };
filter f_local1    { facility (local1); };

destination d_cacl      { file ("/usr/local/var/log/current/${REMOTEHOST.SITE:-other}/cisco-acl.${S_YEAR}${S_MONTH}${S_DAY}${S_HOUR}.log"
                          template ("$S_DATE ${REMOTEHOST.NAME:-none} $MSGHDR$MSG\n") };
destination d_caps      { file ("/usr/local/var/log/current/${REMOTEHOST.SITE:-other}/cisco-aps.${S_YEAR}${S_MONTH}${S_DAY}${S_HOUR}.log"
                          template ("$S_DATE ${REMOTEHOST.NAME:-none} $MSGHDR$MSG\n") };

log (source (s_remote); filter (f_local0); parser (p_hostname_site); destination (d_cacl); };
log (source (s_remote); filter (f_local1); parser (p_hostname_site); destination (d_caps); };
- --------< SNIP >----------

The incoming logs for local0 would look like this:

Dec  2 16:00:00 florence-VPN-FLORENCE %ASA-6-305011: Built dynamic TCP translation from inside-vlan765
Dec  2 16:00:00 florence-VPN-FLORENCE %ASA-6-302013: Built outbound TCP connection 100466601 for outside-vlan757

Under 3.3.3 it would produce the following logs:

/usr/local/var/log/current/other/cisco-acl.2011120216.log:
Dec  2 16:00:00 none %ASA-6-305011: Built dynamic TCP translation from inside-vlan765
Dec  2 16:00:00 none %ASA-6-302013: Built outbound TCP connection 100466601 for outside-vlan757

The same configuration with 3.0.9 produces the following:

/usr/local/var/log/current/florence/cisco-acl.2011120216.log:
Dec  2 16:00:00 VPN-FLORENCE %ASA-6-305011: Built dynamic TCP translation from inside-vlan765
Dec  2 16:00:00 VPN-FLORENCE %ASA-6-302013: Built outbound TCP connection 100466601 for outside-vlan757

If I remove the parser from one of the log paths 3.3.3 would spit out the same output as 3.0.9 but of course, the second log path would need its own parser to make it work.

I am unable to check syslog-ng 3.1 or 3.2.

- - Michael
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.0.3 (Build 1)
Charset: us-ascii

wsBVAwUBTtjvwJbfnpCg64TVAQFmvwf9EZ3wShhBxIXOGXWiSJguF07HCgw99Wxu
amUrvAAeI9nZSj4wvpQCZNLrpPJ2Q7/DCSKTunzopHNJVwMQQvFSwzaAcezNNt4Y
ogmTAx+TeyMc4rYuknpG9Khz6WXFTM8rH4imjNziDSxSwkqZrCQDnmYM4B2pxfqo
BNZbcRKifbo9mts0FbeD9hpBiYNxt+k9pXPtqUD193ihUWcnNF4NG3hgt/1RXB7E
7v79A6swf30PXSLpdJn8fATptKVrfzzvXlW0ncNolSUyKK7XaY4kgvjsnFba++CS
eTil+xkINNnuUz2FDYfEDziTYFeezO/lhSrhE8BiDaRt1Gx10XfbDQ==
=2Idy
-----END PGP SIGNATURE-----