[syslog-ng] message being consistently dropped

Gabor Nagy (gnagy) Gabor.Nagy at oneidentity.com
Tue Sep 1 07:58:09 UTC 2020 

Hi Jon,

I've checked your example log and it seems that it doesn't conform to syslog protocol (RFC5424 - https://tools.ietf.org/html/rfc5424#section-6.3.3 ).

The "]" characters in SDATA values has to be escaped.
I give it a try with this log and it worked with syslog() source:

<141>1 2020-08-04T08:10:58.769127-05:00 fqdn.example.com apmd 12374 01490113:5: [F5 at 12276 hostname="fqdn" errdefs_msgno="01490113:5:" partition_name="Common" session_id="1c95e1e7" Access_Profile="/Common/blah" Partition="Common" Session_Id="1c95e1e6" Session_Variable_Name="session.machine_info.last.net_adapter.list.[0\].mac_address" Session_Variable_Value="3C:D9:2B:33:9A:8E"] /Common/<blah>:Common:1c95e1e6: session.machine_info.last.net_adapter.list.[0].mac_address is 3C:D9:2B:33:9A:8E

You can debug message parsing of syslog-ng  (with -t option or set it with  "sbin/syslog-ng-ctl trace -s 1").


Regards,
Gábor
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Wilson, Jonathan <jonathan.wilson at vumc.org>
Sent: Monday, August 31, 2020 23:31
To: syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] message being consistently dropped

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.


We are running syslog-ng, open source edition, version 3.22.1, on RedHat Enterprise version 7.8. Among many other data sources, we receive syslog data from an F5 device that acts as a VPN server. One type of message that it sends us is consistently not making it into the log (though everything else, to my knowledge, does.)  I wonder if anyone sees something wrong with the message that would prevent its being parsed/stored.



The message (reconstructed from a packet capture, identification fields redacted or changed):



<141>1 2020-08-04T08:10:58.769127-05:00 <fqdn here> apmd 12374 01490113:5:

[F5 at 12276 hostname="fqdn" errdefs_msgno="01490113:5:"

partition_name="Common" session_id="1c95e1e7" Access_Profile="/Common/blah"

Partition="Common" Session_Id="1c95e1e6"

Session_Variable_Name="session.machine_info.last.net_adapter.list.[0].mac_address"

Session_Variable_Value="3C:D9:2B:33:9A:8E"]

/Common/<blah>:Common:1c95e1e6: session.machine_info.last.net_adapter.list.[0].mac_address is 3C:D9:2B:33:9A:8E



I inserted the line breaks to help Outlook. Note that although the message appears to be RFC5424-compliant I have discovered that it does not have whatever magic headers let syslog-ng handle it as structured data transparently. As a result, I cannot use the “syslog” transport but have to use the generic “network” transport and then use flags “syslog-protocol”. This works OK for everything else from this source.



The message doesn’t appear in our syslog logs at all. It’s consistent.



The relevant parts of the syslog-ng configuration look like:



options {

        ts_format(iso);

        use_dns(yes);

        dns_cache(1000);

        dns_cache_expire(30);

        use_fqdn(yes);

        keep_hostname(no);

        chain-hostnames(no);

        keep_timestamp(yes);

        stats_level(1);

        stats_freq(3600);

        normalize_hostnames(yes);

        log_fifo_size(10000);

        flush_lines(1000);

        log-msg-size(65536);

        trim-large-messages(yes);

        threaded(yes);

        time_reap(10);

        create_dirs(yes);

        dir_group(esmapp);

        dir_owner(esmapp);

        group(esmapp);

        owner(esmapp);

        perm(0644);

};



source s_F5VPN_source {

    network(

        transport("tcp")

        ip(0.0.0.0)

        port(11000)

        keep-timestamp(yes)

        flags(no-multi-line,syslog-protocol)

        max-connections(50)

        log_iw_size(10000)

        log-fetch-limit(20)

    );

};



filter f_F5VPN_client { netmask(<blah>) and facility(local1);   };



destination d_F5VPN_client {

    file(

        "/home/syslog/F5VPN_client.log"

        ts_format(rfc3164)

    );

};



log {

    source(s_F5VPN_source);

    filter(f_F5VPN_client);

    destination(d_F5VPN_client);

    flags(flow-control);

};



Regards,

Jon



Jon Wilson | Principal System Engineer, IT Service Management | Information Technology | Vanderbilt University Medical Center
jonathan.wilson at vumc.org<mailto:jonathan.wilson at vumc.org> | phone: 615-440-7895 | fax: 615-323-2181




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200901/e4a7dcb2/attachment-0001.html>

More information about the syslog-ng mailing list