[syslog-ng] message being consistently dropped

Mon Aug 31 21:31:17 UTC 2020

We are running syslog-ng, open source edition, version 3.22.1, on RedHat Enterprise version 7.8. Among many other data sources, we receive syslog data from an F5 device that acts as a VPN server. One type of message that it sends us is consistently not making it into the log (though everything else, to my knowledge, does.)  I wonder if anyone sees something wrong with the message that would prevent its being parsed/stored.

The message (reconstructed from a packet capture, identification fields redacted or changed):

<141>1 2020-08-04T08:10:58.769127-05:00 <fqdn here> apmd 12374 01490113:5:
[F5 at 12276 hostname="fqdn" errdefs_msgno="01490113:5:"
partition_name="Common" session_id="1c95e1e7" Access_Profile="/Common/blah"
Partition="Common" Session_Id="1c95e1e6"
Session_Variable_Name="session.machine_info.last.net_adapter.list.[0].mac_address"
Session_Variable_Value="3C:D9:2B:33:9A:8E"]
/Common/<blah>:Common:1c95e1e6: session.machine_info.last.net_adapter.list.[0].mac_address is 3C:D9:2B:33:9A:8E

I inserted the line breaks to help Outlook. Note that although the message appears to be RFC5424-compliant I have discovered that it does not have whatever magic headers let syslog-ng handle it as structured data transparently. As a result, I cannot use the "syslog" transport but have to use the generic "network" transport and then use flags "syslog-protocol". This works OK for everything else from this source.

The message doesn't appear in our syslog logs at all. It's consistent.

The relevant parts of the syslog-ng configuration look like:

options {
        ts_format(iso);
        use_dns(yes);
        dns_cache(1000);
        dns_cache_expire(30);
        use_fqdn(yes);
        keep_hostname(no);
        chain-hostnames(no);
        keep_timestamp(yes);
        stats_level(1);
        stats_freq(3600);
        normalize_hostnames(yes);
        log_fifo_size(10000);
        flush_lines(1000);
        log-msg-size(65536);
        trim-large-messages(yes);
        threaded(yes);
        time_reap(10);
        create_dirs(yes);
        dir_group(esmapp);
        dir_owner(esmapp);
        group(esmapp);
        owner(esmapp);
        perm(0644);
};

source s_F5VPN_source {
    network(
        transport("tcp")
        ip(0.0.0.0)
        port(11000)
        keep-timestamp(yes)
        flags(no-multi-line,syslog-protocol)
        max-connections(50)
        log_iw_size(10000)
        log-fetch-limit(20)
    );
};

filter f_F5VPN_client { netmask(<blah>) and facility(local1);   };

destination d_F5VPN_client {
    file(
        "/home/syslog/F5VPN_client.log"
        ts_format(rfc3164)
    );
};

log {
    source(s_F5VPN_source);
    filter(f_F5VPN_client);
    destination(d_F5VPN_client);
    flags(flow-control);
};

Regards,
Jon

Jon Wilson | Principal System Engineer, IT Service Management | Information Technology | Vanderbilt University Medical Center
jonathan.wilson at vumc.org<mailto:jonathan.wilson at vumc.org> | phone: 615-440-7895 | fax: 615-323-2181

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200831/206c52f1/attachment.html>