[syslog-ng] Undesirable behavior from Cisco parser?
Scheidler, Balázs
balazs.scheidler at oneidentity.com
Mon Sep 10 13:16:05 UTC 2018
This is probably not it, the syslog-parser() changed some behaviours that
changed it.
On Mon, Sep 10, 2018, 13:45 Budai, László <laszlo.budai at oneidentity.com>
wrote:
> Hi,
>
> in syslog-ng OSE 3.13 [1] we introduced a new feature, called app-parser
> [2] and the default network network driver is using it.
> Maybe that could cause your issue. If this is the case, then we have
> another PR [3] which makes it possible to disable the auto-parse (also part
> of 3.13).
>
> Example:
> source s_network {
> default-network-drivers(auto-parse(no));
> };
>
> If it not solves your problem then could you share the relevant part of
> your config?
>
>
> [1] https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.13.1
> [2] https://github.com/balabit/syslog-ng/pull/1689
> [3] https://github.com/balabit/syslog-ng/pull/1788/
>
>
> regards,
> Laszlo Budai
>
>
> On Fri, Sep 7, 2018 at 6:00 PM, Nik Ambrosch <nik at ambrosch.com> wrote:
>
>> Recently I upgraded my centralized loghost from 3.9 -> 3.15 and I noticed
>> that some of my cisco devices started being logged in an undesirable
>> format... I don't want to enable the cisco parser because more than just
>> cisco messages get delivered to this interface. Here are the relevant
>> fields that have changed before/after the upgrade:
>>
>> syslog-ng 3.9, before upgrade ---
>> ${FULLHOST}: "mydevice.com"
>> ${PROGRAM}: ""
>> message: "%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has
>> invalid spi for..."
>>
>> syslog-ng 3.15, before upgrade ---
>> ${FULLHOST}: ":"
>> ${PROGRAM}: "%CRYPTO-4-RECVD_PKT_INV_SPI"
>> ${MSG}: "decaps: rec'd IPSEC packet has invalid spi for..."
>>
>>
>> Is this unintended behavior or a bug? This particular device is a Cisco
>> 3845 running ios 12.4(22)T4.
>>
>> Thanks in advance.
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180910/37a3cd0a/attachment.html>
More information about the syslog-ng
mailing list