[syslog-ng] Cisco ASA logging to syslog-ng and a weird extra-characters in new-lines

Finnur Orn Gudmundsson finnzi at finnzi.com
Fri Aug 16 18:02:09 CEST 2013 

On Fri, 16 Aug 2013 15:43:45 +0000 (GMT), "Finnur Orn Gudmundsson" <finnzi at finnzi.com> wrote:

> Hi all,
> 
> I have a syslog-ng server:
> rpm -qi syslog-ng
> Name        : syslog-ng                    Relocations: (not relocatable)
> Version     : 3.2.5                             Vendor: Fedora Project
> Release     : 3.el6                         Build Date: Sun 15 Jan 2012 07:49:04 PM GMT
> Install Date: Wed 06 Mar 2013 03:56:17 PM GMT      Build Host: x86-14.phx2.fedoraproject.org
> Group       : System Environment/Daemons    Source RPM: syslog-ng-3.2.5-3.el6.src.rpm
> Size        : 1594638                          License: GPLv2+
> Signature   : RSA/8, Sun 15 Jan 2012 08:55:15 PM GMT, Key ID 3b49df2a0608b895
> 
> The syslog-ng package installed is built and distributed by Fedora EPEL but I was hoping I could post here.
> 
> I replaced a old syslog-ng 2.x server to this one and almost everything works as expected (there is always this one thing that does not work after a migration:).
> 
> There is a Cisco ASA box logging to this server.
> 
> For some records I get this extra space in a new-line like this:
> Aug 16 15:35:56 10.X.X.X %ASA-6-302021: Teardown ICMP connection for faddr 10.X.X.X/9483 gaddr 10.X.X.X/0 laddr 10.X.X.X/0
> Aug 16 15:35:56 10.X.X.X %ASA-5-304001: 10.X.X.X Accessed URL 46.X.X.X:/
> <
> Aug 16 15:35:56 10.X.X.X %ASA-5-304001: 10.X.X.X Accessed URL 92.X.X.X:http://sphotos-g.ak.fbcdn.net/hphotos-X/XxX/11X_221X18801_1X554_n.jpg
> Aug 16 15:35:56 10.X.X.X %ASA-6-305011: Built dynamic TCP translation from inside:10.X.X.X/38697 to outside:194.X.X.X/38697
> 
> (the < char is in a new-line)
> 
> And another one:
> 
> Aug 16 15:35:56 10.Z.Z.Z %ASA-6-302013: Built outbound TCP connection 1809896329 for outside:54.Z.Z.Z/80 (54.Z.Z.Z/80) to inside:10.Z.Z.Z/38684 (194.Z.Z.Z/38684)
> Aug 16 15:35:56 10.Z.Z.Z %ASA-5-304001: 10.Z.Z.Z Accessed URL 10.Z.Z.Z:/
> 1
> Aug 16 15:35:56 10.Z.Z.Z %ASA-6-302014: Teardown TCP connection 1809896328 for dmz-lb-int:10.Z.Z.Z/58759 to inside:10.Z.Z.Z/80 duration 0:00:00 bytes 162 TCP FINs
> 
> 
> (the single 1 char is in a new-line).
> 
> Does someone know if this is a known bug ? I am aware that I am running a somewhat old version.
> 
> Bgrds,
> Finnzi
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Hi all,

I think I found the fix.

Shortly after I posted this a college noticed that on the old server where this did not happen this character was always after a tab.

The option flags(no-multi-line) in the destination line fixed this.

All hail king Google !

Bgrds,
Finnzi

More information about the syslog-ng mailing list