[syslog-ng] Rsyslog relay or syslog-ng ?
Scot
scotrn at gmail.com
Tue Feb 6 11:59:18 UTC 2018
I replaced syslog-ng on the relay to work around this.
On Mon, Feb 5, 2018 at 7:20 PM, Jim Hendrick <james.r.hendrick at gmail.com>
wrote:
> Hmmm - looks like (maybe) the message part is not being parsed correctly
> at the rsyslog server - the MSG part seems to have a syslog message header
> including a TIMESTAMP the HOSTNAME of the originating server MD_FWPA01
> followed by the rest of the MSG
>
> I may be missing something - and it might not be RFC 5424
> https://tools.ietf.org/html/rfc5424 compliant - but I think the rsyslogd
> is wrapping the whole thing in another header before it is being sent along.
>
> Jim
>
> On Mon, Feb 5, 2018 at 3:50 PM, Scot <scotrn at gmail.com> wrote:
>
>> The Msg: header seems to be formatted correctly. Relabeled some data.
>>
>> 15:44:07.886743 IP (tos 0x10, ttl 64, id 8925, offset 0, flags [none],
>> proto UDP (17), length 513)
>> *RSYSLOG_RELAYIP*.58828 > *IDS_TARGETIP*.syslog: SYSLOG, length: 485
>> Facility local0 (16), Severity info (6)
>> Msg: 1 2018-02-05T15:44:07-05:00 MD_FWPA01 1,2018/02/05 - - -
>> 15:44:07,007801000484,TRAFFIC,drop,1,2018/02/05
>> 15:44:07,10.162.57.38,172.217.3.36,0.0.0.0,0.0.0.0,Default-D
>> eny-Log,,,not-applicable,vsys1,SOUND-Trust,SOUND-Untrust,
>> ae2.100,,SOUND-LogForwarder,2018/02/05 15:44:07,0,1,60886,443,0,0,0x4
>> 000,udp,deny,1396,1396,0,1,2018/02/05 15:44:07,0,any,0,95104452051,0
>> x0,10.0.0.0-10.255.255.255,US,0,1,0,policy-deny,21,12,23,0,
>> SOUND,MD_FWPA01,from-policy\0x0a
>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180206/bab103dd/attachment.html>
More information about the syslog-ng
mailing list