[prev in list] [next in list] [prev in thread] [next in thread] 

List:       syslog-ng
Subject:    [syslog-ng] [Bug 40] New: Cisco ASA format is not understood
From:       bugzilla () www ! balabit ! com
Date:       2009-03-20 11:26:03
Message-ID: bug-40-3 () https ! bugzilla ! balabit ! com/
[Download RAW message or body]

https://bugzilla.balabit.com/show_bug.cgi?id=40

           Summary: Cisco ASA format is not understood
           Product: syslog-ng
           Version: 3.0.x
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: unspecified
         Component: syslog-ng
        AssignedTo: bazsi@balabit.hu
        ReportedBy: vincent.panel@telindus.be
Type of the Report: ---
   Estimated Hours: 0.0


Syslog-ng receives messages like this from Cisco ASA devices :

<PRI>MM DD YYYY HH:mm:ss HOSTNAME %MSGID: CONTENT

"YYYY" part is not conform to BSD-style syslog timestamp : it shouldn't exist. \
Unfortunately, it can't be changed on the ASA side. Syslog-ng does not see any header \
in this message and think "MM" is the process sending the message, hence adds ":" \
behind it. Additionnaly, syslog-ng prepends its own header which leads to a total \
mess in the destination syslog...

On the other hand, syslog-ng also receives messages from another Cisco device (FWSM) \
like this :

<PRI>MM DD YYYY HH:mm:ss %MSGID: CONTENT

Note the hostname is not specified. And this format is well understood by syslog-ng \
(no prepended header, no ":" after the month) !

I've also read here : \
http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch02s17.html#bsdsyslog_header \
syslog-ng should be able to understand "PIX extended format" but I can't find \
anywhere in the documentation nor on the internet what it refers to...

So would it be possible to make sure the first format is well understood by syslog-ng \
?

Regards,

Vincent Panel


-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic