[syslog-ng] Flag "no-multiline" not working on Syslog-ng

Alan Sam samsiu.a at gmail.com
Mon May 18 21:26:19 CEST 2015 

Hello Community,

Thank you all for your help regarding this issue reported.

We finally concluded that Cisco devide is sending the log in two different
lines.

Now we have a new situation regarding the syslog-ng configuration file:

- A patch had to be created in order to concat the log.

- The logs that arrive to the server with syslog-ng come like this:
Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS:
Invalid MPLS label (1)
Mar 13 10:33:14 PE06PVAL01 1182435:          received in update for prefix
XXX:XXX:XX.X.XXX.0/24 from A.B.C.D
- The patch concats the log and generates a new line that is inserted into
the same cisco log file:
Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS:
Invalid MPLS label (1) received in update for prefix XXX:XXX:XX.X.XXX.0/24
from A.B.C.D

- This new line that has the whole log line is sent to another server (let
us call it Server X) with a syslog-ng tool running

- On server X, i get these two log lines:
Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS:
Invalid MPLS label (1)
Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS:
Invalid MPLS label (1) received in update for prefix XXX:XXX:XX.X.XXX.0/24
from A.B.C.D

The question is:
Is there a way to configure the syslog-ng in Server X so that:
- Discards the log line that contains "BGP-3-INVALID_MPLS: Invalid MPLS
label (1)"
- Accepts the log line that contains "BGP-3-INVALID_MPLS: Invalid MPLS
label (1) received in update for prefix"
- Accepts all other logs

The syslog-ng configuration file on Server X is the following:

> cat /etc/syslog-ng.conf
#@version: 3.0
# syslog-ng configuration file for the server.
#
# See syslog-ng(8) and syslog-ng.conf(8) for more information.
#

options { flush_lines (0);
          time_reopen (10);
          log_fifo_size (10000);
          long_hostnames (off);
          use_dns (yes);
          create_dirs (yes);
          keep_hostname (yes);
        };

# Client Source
source s_local { internal(); };
source s_syslog_udp { udp(port(514)); };

# Server Source
source s_juniper_tcp { tcp(port(1001) keep-alive(yes)); };
source s_cisco_tcp { tcp(port(1002) keep-alive(yes)); };

# Client Destination
destination d_local { file("/var/adm/syslog/syslog-ng.log"); };
destination d_juniper_tcp { file("/var/adm/syslog/juniper.log"); };
destination d_cisco_tcp { file("/var/adm/syslog/cisco.log"); };

# Server Destination
destination d_syslog { file("/var/adm/syslog/syslog.log"); };
destination d_mail { file("/var/adm/syslog/mail.log"); };

# Server Filter
filter f_mail   { facility(mail) and level(debug .. emerg); };
filter f_syslog   { level(info .. emerg) and not facility(mail) and not
program(syslog-ng); };
filter f_syslog-ng   { program(syslog-ng); };


# Client Log
log { source(s_local); destination(d_local); destination(d_syslog); };
log { source(s_syslog_udp); destination(d_syslog); };

# Server Log
log { source(s_local); filter(f_syslog-ng); destination(d_syslog); };
log { source(s_local); filter(f_mail); destination(d_mail); };
log { source(s_local); filter(f_syslog); destination(d_syslog); };
log { source(s_juniper_tcp); destination(d_juniper_tcp); };
log { source(s_cisco_tcp); destination(d_cisco_tcp); };


Thank you so much for your help.

Best regards,
Alan

On Fri, May 8, 2015 at 5:37 AM, PÁSZTOR György <
pasztor at linux.gyakg.u-szeged.hu> wrote:

> Hi,
>
> "Sandor Geller" <sandor.geller at ericsson.com> írta 2015-05-08 09:32-kor:
> > Wow, it was really 'low resolution'. Zooming in showed that there isn't
> > any kind of UDP packet fragmentation happening (not surprising, the
>
> That's what, why I asked a pcap file.
> It would required smaller attached file, and would gave us more info.
> I found a new theory, based on: 1 pic ~= 1 Mword
> 1 pcap ~= 1000 pic!
>
> > kernel would reassembele fragments transparently to syslog-ng) but the
> > sender device actually splits the logs into multiple packets so
> > syslog-ng does exactly what it should do. Yet another broken syslog
> > implementation on Cisco's side :(
>
> As basically all of their syslog implementation.
>
> > I'm not aware of how such logs could get concatenated without writing an
> > app which postprocesses the logs.
>
> That's another thing, I asked a pcap file. I gave up.
> Maybe there is a chance to do that with some patterndb magic, where we can
> "process" and "correlate", etc.
>
> Kind regards,
> Gyu
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150518/9f2042dc/attachment.htm

More information about the syslog-ng mailing list