[syslog-ng] syslog-ng parsing Error

David Campeau David.Campeau at tn.gov
Fri Jun 22 20:03:42 UTC 2018 

Thank you for the response.

This is how the source is set up and is listening.  It is expecting UDP on port 528.  You mentioned syslog(), but does my example need to be tweaked in some way?

    source s_network {
        syslog(transport("udp") port(528));


Best Regards,


From: syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Scheidler, Balázs
Sent: Friday, June 22, 2018 12:44 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] syslog-ng parsing Error



On Jun 21, 2018 18:11, "David Campeau" <David.Campeau at tn.gov<mailto:David.Campeau at tn.gov>> wrote:
Hello,

I have a syslog source node sending syslogs, and they are being generated via a python script, and is using Python Rfc5426SysLogHandler.  So, these syslog messages should be RFC compliant.  However, syslog-ng does prepend an error message before sending it on to be put into storage.

Example error message from syslog-ng =   <43>Jun 21 10:27:38 syslog-ng-Server syslog-ng[2559]: Error processing log message:  xxxxx timestamp, source hostname and payload follows.

I’ve done some googling, but haven’t been able to find out what error 2559 means.

2559 is the pid of the syslog-ng process.

Any thoughts of what I might do to determine what syslog-ng isn’t liking about the syslog it is receiving?  I need to relay this information to a developer so they can make adjustments to the python script.
After the colon the original message is reproduced verbatim, but as far as I understand you changed that so judging why parsing failed is not possible.

One usual suspect is that you are using legacy bsd style source, wheras your message is in the 5424 format.

Using the syslog() source instead of tcp/udp can help.

Hope this helps.

Best regards,

David






______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180622/79f97994/attachment.html>

More information about the syslog-ng mailing list