[syslog-ng] Cisco ASA logging to syslog-ng and a weird extra-characters in new-lines

Finnur Orn Gudmundsson finnzi at finnzi.com
Fri Aug 16 17:43:45 CEST 2013 

Hi all,

I have a syslog-ng server:
rpm -qi syslog-ng
Name        : syslog-ng                    Relocations: (not relocatable)
Version     : 3.2.5                             Vendor: Fedora Project
Release     : 3.el6                         Build Date: Sun 15 Jan 2012 07:49:04 PM GMT
Install Date: Wed 06 Mar 2013 03:56:17 PM GMT      Build Host: x86-14.phx2.fedoraproject.org
Group       : System Environment/Daemons    Source RPM: syslog-ng-3.2.5-3.el6.src.rpm
Size        : 1594638                          License: GPLv2+
Signature   : RSA/8, Sun 15 Jan 2012 08:55:15 PM GMT, Key ID 3b49df2a0608b895

The syslog-ng package installed is built and distributed by Fedora EPEL but I was hoping I could post here.

I replaced a old syslog-ng 2.x server to this one and almost everything works as expected (there is always this one thing that does not work after a migration:).

There is a Cisco ASA box logging to this server.

For some records I get this extra space in a new-line like this:
Aug 16 15:35:56 10.X.X.X %ASA-6-302021: Teardown ICMP connection for faddr 10.X.X.X/9483 gaddr 10.X.X.X/0 laddr 10.X.X.X/0
Aug 16 15:35:56 10.X.X.X %ASA-5-304001: 10.X.X.X Accessed URL 46.X.X.X:/
<
Aug 16 15:35:56 10.X.X.X %ASA-5-304001: 10.X.X.X Accessed URL 92.X.X.X:http://sphotos-g.ak.fbcdn.net/hphotos-X/XxX/11X_221X18801_1X554_n.jpg
Aug 16 15:35:56 10.X.X.X %ASA-6-305011: Built dynamic TCP translation from inside:10.X.X.X/38697 to outside:194.X.X.X/38697

(the < char is in a new-line)

And another one:

Aug 16 15:35:56 10.Z.Z.Z %ASA-6-302013: Built outbound TCP connection 1809896329 for outside:54.Z.Z.Z/80 (54.Z.Z.Z/80) to inside:10.Z.Z.Z/38684 (194.Z.Z.Z/38684)
Aug 16 15:35:56 10.Z.Z.Z %ASA-5-304001: 10.Z.Z.Z Accessed URL 10.Z.Z.Z:/
1
Aug 16 15:35:56 10.Z.Z.Z %ASA-6-302014: Teardown TCP connection 1809896328 for dmz-lb-int:10.Z.Z.Z/58759 to inside:10.Z.Z.Z/80 duration 0:00:00 bytes 162 TCP FINs


(the single 1 char is in a new-line).

Does someone know if this is a known bug ? I am aware that I am running a somewhat old version.

Bgrds,
Finnzi

More information about the syslog-ng mailing list