[syslog-ng]Problems with Netscreen log entries

James Masson syslog-ng@lists.balabit.hu
Thu, 6 Jan 2005 10:52:14 +0100 

=20
Hi Phil,

I had exactly this problem, upgrading to 1.6.5 fixed the problem.

Regards

James


> -----Original Message-----
> From: syslog-ng-admin@lists.balabit.hu=20
> [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Philip Webster
> Sent: 06 January 2005 05:59
> To: syslog-ng@lists.balabit.hu
> Subject: Re: [syslog-ng]Problems with Netscreen log entries
>=20
> Bazsi,
>=20
> Balazs Scheidler wrote:
> > On Mon, 2004-08-09 at 15:20, Paul Mindeman wrote:
> >=20
> >>Running sylog-ng 1.6.4 on Solaris 9
> >>
> >>Log entries from my UNIX devices log fine.  Log entries from my=20
> >>Netscreen devices seem to be missing the end of line terminator, as=20
> >>the entries run together in the log file.  The default=20
> syslog daemon=20
> >>was able to handle these entries fine.  Any ideas on how to=20
> fix this?
> >>
> >>The options in the syslog-ng.conf file are:
> >>
> >>options { sync (0);
> >>           time_reopen (10);
> >>           log_fifo_size (1000);
> >>           long_hostnames (off);
> >>           use_dns (no);
> >>           use_fqdn (no);
> >>           create_dirs (no);
> >>           keep_hostname (yes);
> >>         };
> >=20
> >=20
> > Can you give me an tcpdump snippet to see how a netscreen=20
> log message=20
> > is formatted? Please make sure that you snap the complete=20
> packet (-s=20
> > option).
> >=20
> > tcpdump -xXpeni ethX  port 514 and udp
> >=20
> > should do the trick.
> >=20
>=20
> I'm seeing the same problem as listed above, but did not see=20
> a solution posted.  I've included a tcpdump listing of a=20
> sample packet below.  All packets seem to be null terminated,=20
> but do not contain a newline.  The sending device is a=20
> Netscreen ISG2000 and the receiver is syslog-ng 1.6.3 running=20
> on Red Hat Linux Advanced Server release 2.1AS.
>=20
> If the logs are sent from the ISG to a FreeBSD host running=20
> standard syslog, and then forwarded from there to the=20
> syslog-ng host, a newline is present in the logs on both servers.
>=20
> Any thoughts?
> Phil
>=20
> 11:04:03.044944 IP 10.40.44.3.2148 > 10.224.8.2.syslog: UDP,=20
> length 146
>          0x0000:  00d0 b7a8 8008 0010 db86 5e80 0800 4500 =20
> ..........^...E.
>          0x0010:  00ae 07b9 0000 4011 297a 0a28 2c03 0ae0 =20
> ......@.)z.(,...
>          0x0020:  0802 0864 0202 009a 8108 3c31 3636 3e67 =20
> ...d......<166>g
>          0x0030:  702d 6564 6765 2d66 773a 204e 6574 5363 =20
> p-edge-fw:.NetSc
>          0x0040:  7265 656e 2064 6576 6963 655f 6964 3d67 =20
> reen.device_id=3Dg
>          0x0050:  702d 6564 6765 2d66 7720 205b 526f 6f74 =20
> p-edge-fw..[Root
>          0x0060:  5d73 7973 7465 6d2d 696e 666f 726d 6174 =20
> ]system-informat
>          0x0070:  696f 6e2d 3030 3736 373a 204c 6f63 6b20 =20
> ion-00767:.Lock.
>          0x0080:  636f 6e66 6967 7572 6174 696f 6e20 656e =20
> configuration.en
>          0x0090:  6465 6420 6279 2074 6173 6b20 7373 682d =20
> ded.by.task.ssh-
>          0x00a0:  636d 643a 3820 2832 3030 352d 3031 2d30 =20
> cmd:8.(2005-01-0
>          0x00b0:  3420 3131 3a30 343a 3033 2900           =20
> 4.11:04:03).
>=20
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu=20
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>=20
>=20
>=20