MonitorWare Knowledge Base

Hi,

I am not sure which forum this is suppose to be in, so here it goes. I am getting syslog messages from some Zyxel firewalls, which are captured by an RHEL with regular syslog on. The problem is that the format is a little different, but seems to be within allowed.

A few examples can be seen here below.

Aug 20 08:56:12 172.16.255.250 vpn src="172.16.255.253" dst="192.168.1.5" msg="Unsupported/out-of-order ICMP: ICMP(Port Unreachable)" note="ACCESS DROPPED" devID="00A0C58E7C0A" cat="ICMP"
Aug 20 15:56:17 192.168.215.254 FWSHA src="60.217.224.233:6000" dst="x.x.x.x:1433" msg="Firewall default policy: TCP (W to W/ZW)" note="ACCESS DROPPED" devID="00A0C5E9B028" cat="Access Control"

you seem to be expecting this, with a ":".
Aug 20 15:56:17 192.168.215.254 FWSHA: src="60.217.224.233:6000" dst="x.x.x.x:1433" msg="Firewall default policy: TCP (W to W/ZW)" note="ACCESS DROPPED" devID="00A0C5E9B028" cat="Access Control"

From rfc 3164 - 4.1.3 MSG Part of a syslog Packet, It seems like the format is okay, with a space character starting the content filed instead of a colon which you seem to be breaking the 2 fields on. You can see what I mean in the attached screen shoot.

What can I do?

Brgds
Mathias

• Custom phpLogCon configuration?
• Maintenance Contract?
• Installation support?

Hi Mathias,

thanks for the sample loglines.
I will look into this, and perhaps change the regex rules for the message format parsing, so that these loglines will correctly parsed as well.

best regards,
Andre Lorbach

Hi again,

I have located the problem and fixed it in the regex rules of the syslog message parser.
The next minor update will contain the fix.

best regards,
Andre Lorbach

Hi Andre,

Good to hear, looking forward to the update. As soon as I have updated the server I will let you know if it turned out alright

Brgds
Mathias

If you are using the 2.3.x Beta branch, you can get the update already from here:
http://www.phplogcon.org/downloads

I will release an upgrade Version of the devel branch tomorrow along with other new changes.

best regards,
Andre Lorbach

fyi, the fix has also been added into the dev branch and released in v2.5.5, available for download here:
http://www.phplogcon.org/downloads

Hi Andre,

First, sorry for the long reply time.

I have updated with the newest this means 2.3.10, 2.5.5 and 2.5.6 and the problem have changed now. It seems that you now just take it all for the content part of the message field and parse nothing in the tag field.

The syslog message format is the same as to begin with. I have uploaded two screen shoots one which is how it is now, and one where I show what I believe it should be, with "FWSHA" in the syslogtag field, and starting the content (your message field) field with "src=....".

Perhaps I have read the RFC wrong, but I belive that this is the correct way, since it says that the message field of a syslog message is divided into 2 parts, one "tag" and one "content". These are divided with a nonalphanumberic character, fx. "[", ":" or " ". Which should be the first part of the content field. By these rules I think I am right, but perhaps there is something hidden somewhere in the RFC I don't know about. I have only read a little of it.

Brgds
Mathias

Hi Mathias,

can you send me the raw syslog messages of those which are in your last screenshots?
Then I can debug against exactly these syslog messages.

best regards,
Andre Lorbach

Hi Andre,

I have pasted in a few lines here below. If you need more give me an email, since I can't attach them to this message.

Brgds
Mathias

Sep 4 15:32:15 192.168.215.254 FWSHA src="222.73.37.12:6000" dst="222.66.143.18:135" msg="Firewall default policy: TCP (W to W/ZW)" note="ACCESS DROPPED" devID="00A0C5E9B028" cat="Access Control"
Sep 4 15:36:39 192.168.215.254 FWSHA src="125.65.111.74:6000" dst="222.66.143.18:1433" msg="Firewall default policy: TCP (W to W/ZW)" note="ACCESS DROPPED" devID="00A0C5E9B028" cat="Access Control"
Sep 4 15:36:58 192.168.215.254 FWSHA src="222.66.23.3:25673" dst="222.66.143.18:135" msg="Firewall default policy: TCP (W to W/ZW)" note="ACCESS DROPPED" devID="00A0C5E9B028" cat="Access Control"
Sep 4 15:37:05 192.168.215.254 FWSHA src="222.66.126.139:1964" dst="222.66.143.18:135" msg="Firewall default policy: TCP (W to W/ZW)" note="ACCESS DROPPED" devID="00A0C5E9B028" cat="Access Control"
Sep 4 15:39:32 192.168.215.254 FWSHA src="0.0.0.0" dst="224.0.0.1" msg="Unsupported/out-of-order ICMP: ICMP(Normal router advertisement)" note="ACCESS DROPPED" devID="00A0C5E9B028" cat="ICMP"
Sep 4 15:39:40 192.168.215.254 FWSHA src="222.66.23.3:20058" dst="222.66.143.18:135" msg="Firewall default policy: TCP (W to W/ZW)" note="ACCESS DROPPED" devID="00A0C5E9B028" cat="Access Control"

Hi Mathias,

the RFC 3164 is anything else then clear in how the syslog TAG has to be terminated.
I will look into the regex rules, and try to get these messages correctly splitted as well. I will let you know when a new version is ready.

best regards,
Andre Lorbach

Mathias,

it took a little longer because I had to finish other changes in the devel build first which will be released in a few days.
I have created a minor update for the beta branch which contains another fix in the message parser.

You sample loglines are correctly splitted now in my environment. If you could try this version now at your end, this would be great
Download can be found here: http://www.phplogcon.org/downloads

The next update of the devel branch will contain this fix as well.

best regards,
Andre Lorbach

Hi Andre,

From my point of view it looks good. The only minor thing (which I personally don't care about - and perhaps is right) is that "last message repeated x times" now breaks funny, but I guess it should be after the RFC.

But I am very happy now, thank you very much for your assistance. I will return if I find more things

Have a nice day.

Brgds
Mathias

Yes this is the side effect that some messages are going to break down but shouldn't. But I think this is acceptable in this case
Let me know if you find other things

best regards,
Andre Lorbach

It may be worth to add an exception for messages starting with "Last message repeated". They tend to be horribly unformatted, but at least in a consistent way.

As a side-note, I would strongly suggest to make sure the syslogd logs every message if you run phpLogCon against the log. The reason is that "last message repeated n lines" can not be interpreted by any analyzer I know (including phpLogCon) and thus reduces the overall utility of analyzers.

Rainer