[syslog-ng] Undesirable behavior from Cisco parser?
Budai, László
laszlo.budai at oneidentity.com
Mon Sep 10 11:44:56 UTC 2018
Hi,
in syslog-ng OSE 3.13 [1] we introduced a new feature, called app-parser
[2] and the default network network driver is using it.
Maybe that could cause your issue. If this is the case, then we have
another PR [3] which makes it possible to disable the auto-parse (also part
of 3.13).
Example:
source s_network {
default-network-drivers(auto-parse(no));
};
If it not solves your problem then could you share the relevant part of
your config?
[1] https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.13.1
[2] https://github.com/balabit/syslog-ng/pull/1689
[3] https://github.com/balabit/syslog-ng/pull/1788/
regards,
Laszlo Budai
On Fri, Sep 7, 2018 at 6:00 PM, Nik Ambrosch <nik at ambrosch.com> wrote:
> Recently I upgraded my centralized loghost from 3.9 -> 3.15 and I noticed
> that some of my cisco devices started being logged in an undesirable
> format... I don't want to enable the cisco parser because more than just
> cisco messages get delivered to this interface. Here are the relevant
> fields that have changed before/after the upgrade:
>
> syslog-ng 3.9, before upgrade ---
> ${FULLHOST}: "mydevice.com"
> ${PROGRAM}: ""
> message: "%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has
> invalid spi for..."
>
> syslog-ng 3.15, before upgrade ---
> ${FULLHOST}: ":"
> ${PROGRAM}: "%CRYPTO-4-RECVD_PKT_INV_SPI"
> ${MSG}: "decaps: rec'd IPSEC packet has invalid spi for..."
>
>
> Is this unintended behavior or a bug? This particular device is a Cisco
> 3845 running ios 12.4(22)T4.
>
> Thanks in advance.
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180910/29a1cb75/attachment.html>
More information about the syslog-ng
mailing list