[syslog-ng] Issue with processing syslog event

Nagy Gábor gabor.hl at gmail.com
Tue Apr 28 12:56:42 UTC 2020 

Hi!

At first look it seems to me that your log message is not in RFC5424 [1]
format, or in RFC3164 [2] format.
You use syslog() source driver which expects these formats.

Do you receive log messages from other clients too (I guess if you have
max-connections(500))?
What device is the log source where messages are coming form?

Regards,
Gabor

[1] https://tools.ietf.org/html/rfc5424
[2] https://tools.ietf.org/html/rfc3164

Raghunath Adhyapak <funduraghu at gmail.com> ezt írta (időpont: 2020. ápr.
28., K, 13:00):

> Hello all,
>
> I am receiving the following syslog line from one of devices.
>
> <134>1 1588062776.725141502 C0493 flows allow src=10.0.31.145 dst=9.9.9.9
> Mac=F1:37:59:38:BA:F8 protocol=udp sport=50307 dport=53
>
> This line contains a version filed immediately following the priority, and
> then timestamp is in epoch format as against ISO8601 or other standard
> format.
>
> I see the following error in syslog-ng log:
> [2020-04-28T10:46:15.340911] Outgoing message; message='Apr 28 10:46:15
> ip-172-31-240-95 syslog-ng[27873]: Error processing log message: <134>1>@<
> 1588062776.725141502 C0493 flows allow src=10.0.31.145 dst=9.9.9.9
> mac=F1:37:59:38:BA:F8 protocol=udp sport=50307 dport=53'
>
> What could be the possible issue here?
>
> My config is as follows:
>
> ##========================================
> ########################
> # Global options
> ########################
> options {keep_hostname (yes);  use_dns (no); mark-freq(30);};
> ########################
> # Sources
> ########################
> source s_syslog {
>         syslog(
>                 transport(udp)
>                 port(514)
>                 max-connections(500)
>         );
> };
> ########################
> # Destinations
> ########################
> destination d_file {
>     file("/var/log/dump.log");
> };
> ########################
> # Log paths
> ########################
> log {
>         source(s_syslog);
>         destination(d_file);
>         flags(flow-control);
> };
> ##========================================
>
> If I check my file /var/log/dump.log, I see that the error line is getting
> written to it too.
>
> root at ip-172-31-240-95:~# tail -f /var/log/dump.log | grep "Error
> processing"
> Apr 28 10:44:46 ip-172-31-240-95 syslog-ng[27873]: Error processing log
> message: <134>1>@< 1588062776.725141502 C0493 flows allow src=10.0.31.145
> dst=9.9.9.9 mac=F1:37:59:38:BA:F8 protocol=udp sport=50307 dport=53
> Apr 28 10:46:15 ip-172-31-240-95 syslog-ng[27873]: Error processing log
> message: <134>1>@< 1588062776.725141502 C0493 flows allow src=10.0.31.145
> dst=9.9.9.9 mac=F1:37:59:38:BA:F8 protocol=udp sport=50307 dport=53
>
> Thanks
> Raghu
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200428/ee66d910/attachment.html>

More information about the syslog-ng mailing list