[syslog-ng] Flag "no-multiline" not working on Syslog-ng

Alan Sam samsiu.a at gmail.com
Wed May 20 21:40:43 CEST 2015 

Hello Gyu,


*What would you patch?Do you think that is that neccessary?*

The patch that has already been installed and what it does is the following:
- Look for the logs that contain this String "%BGP-3-INVALID_MPLS: Invalid
MPLS label (1)" in the cisco.log file. For example, this could be one
match: "Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13:
%BGP-3-INVALID_MPLS: Invalid MPLS label (1)"

- Look for the corresponding next line for the line found in the step
before. For example, this is the log line for the log mentioned before: "Mar
13 10:33:14 PE06PVAL01 1182435:          received in update for prefix
16629:1735:A.B.C.D/24 from X.X.X.X"
- Generate a new line and print it in the cisco.log file. For the example,
the new line would be: "Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13
10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1) received in update
for prefix 16629:1735:A.B.C.D/24 from X.X.X.X"
- The syslog-ng running on the Server A will send the complete line to
another server (Server B) who is listening to all logs coming from Server A

Yes, I do think it was necessary.


*How urgent is this log concatenation project for you?*
For the time being the patch is working well. However, i still need to
implement the filter in syslog-ng on Server B so that the line is
discarded: Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13:
%BGP-3-INVALID_MPLS: Invalid MPLS label (1)
 And this line is accepted:
 Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS:
Invalid MPLS label (1) received in update for prefix 16629:1735:A.B.C.D/24
from X.X.X.X"

It is not urgent. However, if you could tell me how to configure the filter
in Syslog-ng; i would greatly appreciate it.





*Some extra question: How extreme is the line breaking? Your log example
wasthe first I saw. (However, I did not configured bgp on cisco yet, I
usuallyworked with rip, when we needed dynamic routing. I worked with
"internal"networks, and did not worked with border gateways)*

I understand that the line breaking is NOT extreme. Besides, this problem
happens for only ONE log out of all the logs that arrive to the Syslog-ng
server





*So, In your example the one log was splitted into two lines.Is that
possible, that it can splitted into more lines?*

It could be splitted into more lines. Nonetheless, what i need is to
generate a single line which i was already able to do by running the patch
we created.



Thank you so much for your help and attention.

Best regards,
Alan


On Tue, May 19, 2015 at 5:01 AM, PÁSZTOR György <
pasztor at linux.gyakg.u-szeged.hu> wrote:

> Hello Alan,
>
> "Alan Sam" <samsiu.a at gmail.com> írta 2015-05-18 16:26-kor:
> > Now we have a new situation regarding the syslog-ng configuration file:
> >
> > - A patch had to be created in order to concat the log.
>
> What would you patch?
> Do you think that is that neccessary?
>
> As I already wrote: I think, it can be solved with some smart patterndb
> rule.
> I already collected some types of cisco logs, since I worked with many
> Cisco devices earlier, and I know they are not to strict following any rule
> or rfc about logging.
> So, I think the ultimate weapon is patterndb, and as soon as I will have
> free time, I will create patterndb for cisco devices.
>
> But I can not promise you a deadline.
>
> How urgent is this log concatenation project for you?
>
> Some extra question: How extreme is the line breaking? Your log example was
> the first I saw. (However, I did not configured bgp on cisco yet, I usually
> worked with rip, when we needed dynamic routing. I worked with "internal"
> networks, and did not worked with border gateways)
> So, In your example the one log was splitted into two lines.
> Is that possible, that it can splitted into more lines?
>
> Kind regards,
> Gyu
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150520/7256b352/attachment.htm

More information about the syslog-ng mailing list