[syslog-ng] message being consistently dropped

Gabor Nagy (gnagy) Gabor.Nagy at oneidentity.com
Tue Sep 1 16:49:51 UTC 2020 

Hi,

Your logs get dropped by the filter "facility(local1)".
The filter does not match on the above log because it cannot be parsed by the syslog-protocol (RFC5424) due to the unescaped brackets in the SDATA.
Due to the failed parsing, your log message has been altered to visualize the parsing errors location:
<43>1 2020-09-01T18:28:24+02:00 localhost syslog-ng 2514 - - Error processing log message: <141>1 2020-08-04T08:10:58.769127-05:00 fqdn.example.com apmd 12374 01490113:5: [F5 at 12276 hostname="fqdn" errdefs_msgno="01490113:5:" partition_name="Common" session_id="1c95e1e7" Access_Profile="/Common/blah" Partition="Common" Session_Id="1c95e1e6" Session_Variable_Name="session.machine_info.last.net_adapter.list.[0>@<].mac_address" Session_Variable_Value="3C:D9:2B:33:9A:8E"] /Common/<blah>:Common:1c95e1e6: session.machine_info.last.net_adapter.list.[0].mac_address is 3C:D9:2B:33:9A:8E

The question is, do you need to parse the message before storing it into a log file? Because we can disable parsing on the source side and the whole message is put into the $MESSAGE macro.
I guess you need some basic parsing, as you filter the messages based on facility.
Do you use this source in other log paths as well?

I'm thinking in a workaround currently, as so far I didn't found a way to overcome this issue.
I would like to emphasize that F5 log format violates the RFC5424 described protocol. This should be reported to them.

Regards,
Gabor
________________________________
From: Wilson, Jonathan <jonathan.wilson at vumc.org>
Sent: Tuesday, September 1, 2020 14:39
To: Gabor Nagy (gnagy) <Gabor.Nagy at oneidentity.com>
Subject: Re: [syslog-ng] message being consistently dropped

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.


Good morning Gabor, thank you for the info on my syslog-ng issue.



Unfortunately the device in question is “canned” (an F5) and I am pretty sure I cannot change the format it logs with. Is there a simple way to pre-process them so that they don’t get dropped by syslog-ng?



Thanks,

Jon



Jon Wilson | Principal System Engineer, IT Service Management | Information Technology | Vanderbilt University Medical Center
jonathan.wilson at vumc.org<mailto:jonathan.wilson at vumc.org> | phone: 615-440-7895 | fax: 615-323-2181


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200901/606b0897/attachment.html>

More information about the syslog-ng mailing list