[syslog-ng] Issue with processing syslog event

Raghunath Adhyapak funduraghu at gmail.com
Tue Apr 28 11:00:22 UTC 2020 

Hello all,

I am receiving the following syslog line from one of devices.

<134>1 1588062776.725141502 C0493 flows allow src=10.0.31.145 dst=9.9.9.9
Mac=F1:37:59:38:BA:F8 protocol=udp sport=50307 dport=53

This line contains a version filed immediately following the priority, and
then timestamp is in epoch format as against ISO8601 or other standard
format.

I see the following error in syslog-ng log:
[2020-04-28T10:46:15.340911] Outgoing message; message='Apr 28 10:46:15
ip-172-31-240-95 syslog-ng[27873]: Error processing log message: <134>1>@<
1588062776.725141502 C0493 flows allow src=10.0.31.145 dst=9.9.9.9
mac=F1:37:59:38:BA:F8 protocol=udp sport=50307 dport=53'

What could be the possible issue here?

My config is as follows:

##========================================
########################
# Global options
########################
options {keep_hostname (yes);  use_dns (no); mark-freq(30);};
########################
# Sources
########################
source s_syslog {
        syslog(
                transport(udp)
                port(514)
                max-connections(500)
        );
};
########################
# Destinations
########################
destination d_file {
    file("/var/log/dump.log");
};
########################
# Log paths
########################
log {
        source(s_syslog);
        destination(d_file);
        flags(flow-control);
};
##========================================

If I check my file /var/log/dump.log, I see that the error line is getting
written to it too.

root at ip-172-31-240-95:~# tail -f /var/log/dump.log | grep "Error processing"
Apr 28 10:44:46 ip-172-31-240-95 syslog-ng[27873]: Error processing log
message: <134>1>@< 1588062776.725141502 C0493 flows allow src=10.0.31.145
dst=9.9.9.9 mac=F1:37:59:38:BA:F8 protocol=udp sport=50307 dport=53
Apr 28 10:46:15 ip-172-31-240-95 syslog-ng[27873]: Error processing log
message: <134>1>@< 1588062776.725141502 C0493 flows allow src=10.0.31.145
dst=9.9.9.9 mac=F1:37:59:38:BA:F8 protocol=udp sport=50307 dport=53

Thanks
Raghu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200428/ac188725/attachment-0001.html>

More information about the syslog-ng mailing list