[syslog-ng] Undesirable behavior from Cisco parser?
Budai, László
laszlo.budai at oneidentity.com
Mon Sep 17 13:13:37 UTC 2018
Hi,
I opened a pull request ( https://github.com/balabit/syslog-ng/pull/2272 )
that has been already merged to master.
Could you compile syslog-ng from source and test if it works?
L.
On Mon, Sep 17, 2018 at 3:03 PM, Nik Ambrosch <nik at ambrosch.com> wrote:
> Is there any other information I can provide in order to help resolve this?
>
>
> On Tue, Sep 11, 2018 at 1:48 PM Nik Ambrosch <nik at ambrosch.com> wrote:
>
>> I setup a syslog-ng 3.9 device to capture a message using
>>
>> network(transport(tcp) flags(no-parse));
>>
>> Here's what was logged:
>>
>> Sep 11 12:14:51 1.1.1.1 <190>53: Sep 11 16:14:50.588:
>> %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host blahblah
>>
>> Followed up with a device that delivers a proper hostname, this is what
>> was logged:
>>
>> Sep 11 13:17:39 2.2.2.2 <190>10474: Sep 11 17:17:38.447 UTC:
>> %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host blahblah
>>
>> Looks like the difference is the working device contains a timezone where
>> as the non-working device does not. Everything else is the same however
>> neither contain a hostname like in your example.
>>
>>
>>
>>
>>
>> On Tue, Sep 11, 2018 at 9:45 AM, Budai, László <
>> laszlo.budai at oneidentity.com> wrote:
>>
>>> Hi,
>>>
>>> instead of reverting the ipv6 heuristic, I propose another solution:
>>> https://github.com/balabit/syslog-ng/pull/2272
>>>
>>> I think that when a timestamp is followed by a colon(':'), it is part of
>>> the timestamp and the (legacy) timestamp parser should 'eat' it.
>>>
>>> I tested with the following log:
>>> <0>91: *Oct 07 03:10:04: mydevice.com %CRYPTO-4-RECVD_PKT_INV_SPI:
>>> decaps: rec'd IPSEC packet has invalid spi for destaddr=150.1.1.1, prot=50,
>>> spi=0x72662541(1919296833), srcaddr=150.3.1.3
>>>
>>> Could you validate that this is the same format that you have?
>>>
>>> L.
>>>
>>> On Mon, Sep 10, 2018 at 4:32 PM, Scheidler, Balázs <
>>> balazs.scheidler at oneidentity.com> wrote:
>>>
>>>> This branch has a patch to revert that specific commit, and I've
>>>> confirmed that it resolves the issue for me, in exchange for not supporting
>>>> IPV6 addresses in the hostname field.
>>>>
>>>>
>>>> On Mon, Sep 10, 2018 at 3:55 PM, Balazs Scheidler <bazsi77 at gmail.com>
>>>> wrote:
>>>>
>>>>> This patch broke it:
>>>>>
>>>>> 399d565e9857e7cb41253e9a714d5cc6ad4d50fb.
>>>>>
>>>>> This patch can be reverted easily even on the latest master to resolve
>>>>> the issue.
>>>>>
>>>>> On Mon, Sep 10, 2018 at 3:16 PM Scheidler, Balázs <
>>>>> balazs.scheidler at oneidentity.com> wrote:
>>>>>
>>>>>> This is probably not it, the syslog-parser() changed some behaviours
>>>>>> that changed it.
>>>>>>
>>>>>> On Mon, Sep 10, 2018, 13:45 Budai, László <
>>>>>> laszlo.budai at oneidentity.com> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> in syslog-ng OSE 3.13 [1] we introduced a new feature, called
>>>>>>> app-parser [2] and the default network network driver is using it.
>>>>>>> Maybe that could cause your issue. If this is the case, then we
>>>>>>> have another PR [3] which makes it possible to disable the auto-parse (also
>>>>>>> part of 3.13).
>>>>>>>
>>>>>>> Example:
>>>>>>> source s_network {
>>>>>>> default-network-drivers(auto-parse(no));
>>>>>>> };
>>>>>>>
>>>>>>> If it not solves your problem then could you share the relevant part
>>>>>>> of your config?
>>>>>>>
>>>>>>>
>>>>>>> [1] https://github.com/balabit/syslog-ng/releases/tag/syslog-
>>>>>>> ng-3.13.1
>>>>>>> [2] https://github.com/balabit/syslog-ng/pull/1689
>>>>>>> [3] https://github.com/balabit/syslog-ng/pull/1788/
>>>>>>>
>>>>>>>
>>>>>>> regards,
>>>>>>> Laszlo Budai
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Sep 7, 2018 at 6:00 PM, Nik Ambrosch <nik at ambrosch.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Recently I upgraded my centralized loghost from 3.9 -> 3.15 and I
>>>>>>>> noticed that some of my cisco devices started being logged in an
>>>>>>>> undesirable format... I don't want to enable the cisco parser because more
>>>>>>>> than just cisco messages get delivered to this interface. Here are the
>>>>>>>> relevant fields that have changed before/after the upgrade:
>>>>>>>>
>>>>>>>> syslog-ng 3.9, before upgrade ---
>>>>>>>> ${FULLHOST}: "mydevice.com"
>>>>>>>> ${PROGRAM}: ""
>>>>>>>> message: "%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
>>>>>>>> packet has invalid spi for..."
>>>>>>>>
>>>>>>>> syslog-ng 3.15, before upgrade ---
>>>>>>>> ${FULLHOST}: ":"
>>>>>>>> ${PROGRAM}: "%CRYPTO-4-RECVD_PKT_INV_SPI"
>>>>>>>> ${MSG}: "decaps: rec'd IPSEC packet has invalid spi for..."
>>>>>>>>
>>>>>>>>
>>>>>>>> Is this unintended behavior or a bug? This particular device is a
>>>>>>>> Cisco 3845 running ios 12.4(22)T4.
>>>>>>>>
>>>>>>>> Thanks in advance.
>>>>>>>>
>>>>>>>> ____________________________________________________________
>>>>>>>> __________________
>>>>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>>>> Documentation: http://www.balabit.com/support/documentation/?
>>>>>>>> product=syslog-ng
>>>>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> ____________________________________________________________
>>>>>>> __________________
>>>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>>> Documentation: http://www.balabit.com/support/documentation/?
>>>>>>> product=syslog-ng
>>>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>>>
>>>>>>> ____________________________________________________________
>>>>>> __________________
>>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>> Documentation: http://www.balabit.com/support/documentation/?
>>>>>> product=syslog-ng
>>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Bazsi
>>>>>
>>>>> ____________________________________________________________
>>>>> __________________
>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>> Documentation: http://www.balabit.com/support/documentation/?
>>>>> product=syslog-ng
>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>
>>>>>
>>>>>
>>>>
>>>> ____________________________________________________________
>>>> __________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation: http://www.balabit.com/support/documentation/?
>>>> product=syslog-ng
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>
>>>>
>>>>
>>>
>>> ____________________________________________________________
>>> __________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support/documentation/?
>>> product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180917/7499e36f/attachment-0001.html>
More information about the syslog-ng
mailing list