[syslog-ng] Undesirable behavior from Cisco parser?

Scheidler, Balázs balazs.scheidler at oneidentity.com
Mon Sep 10 14:32:05 UTC 2018


This branch has a patch to revert that specific commit, and I've confirmed
that it resolves the issue for me, in exchange for not supporting IPV6
addresses in the hostname field.


On Mon, Sep 10, 2018 at 3:55 PM, Balazs Scheidler <bazsi77 at gmail.com> wrote:

> This patch broke it:
>
> 399d565e9857e7cb41253e9a714d5cc6ad4d50fb.
>
> This patch can be reverted easily even on the latest master to resolve the
> issue.
>
> On Mon, Sep 10, 2018 at 3:16 PM Scheidler, Balázs <
> balazs.scheidler at oneidentity.com> wrote:
>
>> This is probably not it, the syslog-parser() changed some behaviours that
>> changed it.
>>
>> On Mon, Sep 10, 2018, 13:45 Budai, László <laszlo.budai at oneidentity.com>
>> wrote:
>>
>>> Hi,
>>>
>>> in syslog-ng OSE 3.13 [1] we introduced a new feature, called app-parser
>>> [2] and the default network network driver is using it.
>>> Maybe that could cause your issue.  If this is the case, then we have
>>> another PR [3] which makes it possible to disable the auto-parse (also part
>>> of 3.13).
>>>
>>> Example:
>>> source s_network {
>>>   default-network-drivers(auto-parse(no));
>>> };
>>>
>>> If it not solves your problem then could you share the relevant part of
>>> your config?
>>>
>>>
>>> [1] https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.13.1
>>> [2] https://github.com/balabit/syslog-ng/pull/1689
>>> [3] https://github.com/balabit/syslog-ng/pull/1788/
>>>
>>>
>>> regards,
>>> Laszlo Budai
>>>
>>>
>>> On Fri, Sep 7, 2018 at 6:00 PM, Nik Ambrosch <nik at ambrosch.com> wrote:
>>>
>>>> Recently I upgraded my centralized loghost from 3.9 -> 3.15 and I
>>>> noticed that some of my cisco devices started being logged in an
>>>> undesirable format... I don't want to enable the cisco parser because more
>>>> than just cisco messages get delivered to this interface.  Here are the
>>>> relevant fields that have changed before/after the upgrade:
>>>>
>>>> syslog-ng 3.9, before upgrade ---
>>>>     ${FULLHOST}: "mydevice.com"
>>>>     ${PROGRAM}: ""
>>>>     message: "%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet
>>>> has invalid spi for..."
>>>>
>>>> syslog-ng 3.15, before upgrade ---
>>>>     ${FULLHOST}: ":"
>>>>     ${PROGRAM}: "%CRYPTO-4-RECVD_PKT_INV_SPI"
>>>>     ${MSG}: "decaps: rec'd IPSEC packet has invalid spi for..."
>>>>
>>>>
>>>> Is this unintended behavior or a bug?  This particular device is a
>>>> Cisco 3845 running ios 12.4(22)T4.
>>>>
>>>> Thanks in advance.
>>>>
>>>> ____________________________________________________________
>>>> __________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation: http://www.balabit.com/support/documentation/?
>>>> product=syslog-ng
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>
>>>>
>>>>
>>> ____________________________________________________________
>>> __________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support/documentation/?
>>> product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?
>> product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>
> --
> Bazsi
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180910/f27c47d2/attachment-0001.html>


More information about the syslog-ng mailing list