[syslog-ng] Issue with processing syslog event

Raghunath Adhyapak funduraghu at gmail.com
Tue Apr 28 15:52:42 UTC 2020 

Hi,

This log line was received from Cisco device.
I believe that the timestamp is not in acceptable format.
Is there any way we can configure syslog-ng to accept timestamp of this
form?

Thanks
Raghu

On Tue, Apr 28, 2020 at 6:26 PM Nagy Gábor <gabor.hl at gmail.com> wrote:

> Hi!
>
> At first look it seems to me that your log message is not in RFC5424 [1]
> format, or in RFC3164 [2] format.
> You use syslog() source driver which expects these formats.
>
> Do you receive log messages from other clients too (I guess if you have
> max-connections(500))?
> What device is the log source where messages are coming form?
>
> Regards,
> Gabor
>
> [1] https://tools.ietf.org/html/rfc5424
> [2] https://tools.ietf.org/html/rfc3164
>
> Raghunath Adhyapak <funduraghu at gmail.com> ezt írta (időpont: 2020. ápr.
> 28., K, 13:00):
>
>> Hello all,
>>
>> I am receiving the following syslog line from one of devices.
>>
>> <134>1 1588062776.725141502 C0493 flows allow src=10.0.31.145 dst=9.9.9.9
>> Mac=F1:37:59:38:BA:F8 protocol=udp sport=50307 dport=53
>>
>> This line contains a version filed immediately following the priority,
>> and then timestamp is in epoch format as against ISO8601 or other standard
>> format.
>>
>> I see the following error in syslog-ng log:
>> [2020-04-28T10:46:15.340911] Outgoing message; message='Apr 28 10:46:15
>> ip-172-31-240-95 syslog-ng[27873]: Error processing log message: <134>1>@<
>> 1588062776.725141502 C0493 flows allow src=10.0.31.145 dst=9.9.9.9
>> mac=F1:37:59:38:BA:F8 protocol=udp sport=50307 dport=53'
>>
>> What could be the possible issue here?
>>
>> My config is as follows:
>>
>> ##========================================
>> ########################
>> # Global options
>> ########################
>> options {keep_hostname (yes);  use_dns (no); mark-freq(30);};
>> ########################
>> # Sources
>> ########################
>> source s_syslog {
>>         syslog(
>>                 transport(udp)
>>                 port(514)
>>                 max-connections(500)
>>         );
>> };
>> ########################
>> # Destinations
>> ########################
>> destination d_file {
>>     file("/var/log/dump.log");
>> };
>> ########################
>> # Log paths
>> ########################
>> log {
>>         source(s_syslog);
>>         destination(d_file);
>>         flags(flow-control);
>> };
>> ##========================================
>>
>> If I check my file /var/log/dump.log, I see that the error line is
>> getting written to it too.
>>
>> root at ip-172-31-240-95:~# tail -f /var/log/dump.log | grep "Error
>> processing"
>> Apr 28 10:44:46 ip-172-31-240-95 syslog-ng[27873]: Error processing log
>> message: <134>1>@< 1588062776.725141502 C0493 flows allow src=10.0.31.145
>> dst=9.9.9.9 mac=F1:37:59:38:BA:F8 protocol=udp sport=50307 dport=53
>> Apr 28 10:46:15 ip-172-31-240-95 syslog-ng[27873]: Error processing log
>> message: <134>1>@< 1588062776.725141502 C0493 flows allow src=10.0.31.145
>> dst=9.9.9.9 mac=F1:37:59:38:BA:F8 protocol=udp sport=50307 dport=53
>>
>> Thanks
>> Raghu
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200428/7b7949c4/attachment.html>

More information about the syslog-ng mailing list