[syslog-ng]Problems with Netscreen log entries
Philip Webster
syslog-ng@lists.balabit.hu
Thu, 13 Jan 2005 08:44:44 +1000
James,
James Masson wrote:
>
> Hi Phil,
>
> I had exactly this problem, upgrading to 1.6.5 fixed the problem.
Thanks for the advice. Upgraded last night and working perfectly.
Cheers
Phil
> Regards
>
> James
>
>
>
>>-----Original Message-----
>>From: syslog-ng-admin@lists.balabit.hu
>>[mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Philip Webster
>>Sent: 06 January 2005 05:59
>>To: syslog-ng@lists.balabit.hu
>>Subject: Re: [syslog-ng]Problems with Netscreen log entries
>>
>>Bazsi,
>>
>>Balazs Scheidler wrote:
>>
>>>On Mon, 2004-08-09 at 15:20, Paul Mindeman wrote:
>>>
>>>
>>>>Running sylog-ng 1.6.4 on Solaris 9
>>>>
>>>>Log entries from my UNIX devices log fine. Log entries from my
>>>>Netscreen devices seem to be missing the end of line terminator, as
>>>>the entries run together in the log file. The default
>>
>>syslog daemon
>>
>>>>was able to handle these entries fine. Any ideas on how to
>>
>>fix this?
>>
>>>>The options in the syslog-ng.conf file are:
>>>>
>>>>options { sync (0);
>>>> time_reopen (10);
>>>> log_fifo_size (1000);
>>>> long_hostnames (off);
>>>> use_dns (no);
>>>> use_fqdn (no);
>>>> create_dirs (no);
>>>> keep_hostname (yes);
>>>> };
>>>
>>>
>>>Can you give me an tcpdump snippet to see how a netscreen
>>
>>log message
>>
>>>is formatted? Please make sure that you snap the complete
>>
>>packet (-s
>>
>>>option).
>>>
>>>tcpdump -xXpeni ethX port 514 and udp
>>>
>>>should do the trick.
>>>
>>
>>I'm seeing the same problem as listed above, but did not see
>>a solution posted. I've included a tcpdump listing of a
>>sample packet below. All packets seem to be null terminated,
>>but do not contain a newline. The sending device is a
>>Netscreen ISG2000 and the receiver is syslog-ng 1.6.3 running
>>on Red Hat Linux Advanced Server release 2.1AS.
>>
>>If the logs are sent from the ISG to a FreeBSD host running
>>standard syslog, and then forwarded from there to the
>>syslog-ng host, a newline is present in the logs on both servers.
>>
>>Any thoughts?
>>Phil
>>
>>11:04:03.044944 IP 10.40.44.3.2148 > 10.224.8.2.syslog: UDP,
>>length 146
>> 0x0000: 00d0 b7a8 8008 0010 db86 5e80 0800 4500
>>..........^...E.
>> 0x0010: 00ae 07b9 0000 4011 297a 0a28 2c03 0ae0
>>......@.)z.(,...
>> 0x0020: 0802 0864 0202 009a 8108 3c31 3636 3e67
>>...d......<166>g
>> 0x0030: 702d 6564 6765 2d66 773a 204e 6574 5363
>>p-edge-fw:.NetSc
>> 0x0040: 7265 656e 2064 6576 6963 655f 6964 3d67
>>reen.device_id=g
>> 0x0050: 702d 6564 6765 2d66 7720 205b 526f 6f74
>>p-edge-fw..[Root
>> 0x0060: 5d73 7973 7465 6d2d 696e 666f 726d 6174
>>]system-informat
>> 0x0070: 696f 6e2d 3030 3736 373a 204c 6f63 6b20
>>ion-00767:.Lock.
>> 0x0080: 636f 6e66 6967 7572 6174 696f 6e20 656e
>>configuration.en
>> 0x0090: 6465 6420 6279 2074 6173 6b20 7373 682d
>>ded.by.task.ssh-
>> 0x00a0: 636d 643a 3820 2832 3030 352d 3031 2d30
>>cmd:8.(2005-01-0
>> 0x00b0: 3420 3131 3a30 343a 3033 2900
>>4.11:04:03).
>>
>>_______________________________________________
>>syslog-ng maillist - syslog-ng@lists.balabit.hu
>>https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
>
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>