[syslog-ng] Syslog-ng configuration for network source (udp)

Wed Sep 12 10:45:35 CEST 2012

Alex Clone <alexandros.clone at gmail.com> writes:

> *~# tcpdump -i eth0 udp 'port 514' -v
> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535
> bytes
> 06:05:58.669992 IP (tos 0x0, ttl 254, id 20209, offset 0, flags [none],
> proto UDP (17), length 82)
>     172.29.1.6.syslog-ng > 172.30.6.70.syslog-ng: SYSLOG, length: 54
>     Facility local4 (20), Severity debug (7)
>     Msg: %ASA-7-609001: Built local-host WAN:172.30.254.4\0x0a
> 06:05:58.670134 IP (tos 0x0, ttl 254, id 52, offset 0, flags [none], proto
> UDP (17), length 85)
>     172.29.1.6.syslog-ng > 172.30.6.70.syslog-ng: SYSLOG, length: 57
>     Facility local4 (20), Severity debug (7)
>     Msg: %ASA-7-609001: Built local-host outside:172.26.10.4\0x0a
> ………..*

These look like CISCO logs, which do not conform to the format syslog-ng
expects, and as such, they're not recognised and not processed either.

If you just want to store them as-is, I'd recommend using the
flags(no-parse) setting in the s_network source, like this:

 source s_network {
         tcp(flags(no-parse));
         udp(flags(no-parse));
 };

-- 
|8]