[syslog-ng] Undesirable behavior from Cisco parser?

Balazs Scheidler bazsi77 at gmail.com
Mon Sep 10 13:55:44 UTC 2018


This patch broke it:

399d565e9857e7cb41253e9a714d5cc6ad4d50fb.

This patch can be reverted easily even on the latest master to resolve the
issue.

On Mon, Sep 10, 2018 at 3:16 PM Scheidler, Balázs <
balazs.scheidler at oneidentity.com> wrote:

> This is probably not it, the syslog-parser() changed some behaviours that
> changed it.
>
> On Mon, Sep 10, 2018, 13:45 Budai, László <laszlo.budai at oneidentity.com>
> wrote:
>
>> Hi,
>>
>> in syslog-ng OSE 3.13 [1] we introduced a new feature, called app-parser
>> [2] and the default network network driver is using it.
>> Maybe that could cause your issue.  If this is the case, then we have
>> another PR [3] which makes it possible to disable the auto-parse (also part
>> of 3.13).
>>
>> Example:
>> source s_network {
>>   default-network-drivers(auto-parse(no));
>> };
>>
>> If it not solves your problem then could you share the relevant part of
>> your config?
>>
>>
>> [1] https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.13.1
>> [2] https://github.com/balabit/syslog-ng/pull/1689
>> [3] https://github.com/balabit/syslog-ng/pull/1788/
>>
>>
>> regards,
>> Laszlo Budai
>>
>>
>> On Fri, Sep 7, 2018 at 6:00 PM, Nik Ambrosch <nik at ambrosch.com> wrote:
>>
>>> Recently I upgraded my centralized loghost from 3.9 -> 3.15 and I
>>> noticed that some of my cisco devices started being logged in an
>>> undesirable format... I don't want to enable the cisco parser because more
>>> than just cisco messages get delivered to this interface.  Here are the
>>> relevant fields that have changed before/after the upgrade:
>>>
>>> syslog-ng 3.9, before upgrade ---
>>>     ${FULLHOST}: "mydevice.com"
>>>     ${PROGRAM}: ""
>>>     message: "%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet
>>> has invalid spi for..."
>>>
>>> syslog-ng 3.15, before upgrade ---
>>>     ${FULLHOST}: ":"
>>>     ${PROGRAM}: "%CRYPTO-4-RECVD_PKT_INV_SPI"
>>>     ${MSG}: "decaps: rec'd IPSEC packet has invalid spi for..."
>>>
>>>
>>> Is this unintended behavior or a bug?  This particular device is a Cisco
>>> 3845 running ios 12.4(22)T4.
>>>
>>> Thanks in advance.
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>

-- 
Bazsi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180910/6af5943f/attachment.html>


More information about the syslog-ng mailing list