Back to your phpLogCon instanceProblem with netscreen log
Moderator: rgerhards
28 posts • Page 2 of 2 • 1, 2
Re: Problem with netscreen log
by rgerhards » Tue Dec 02, 2008 2:14 pm
oh, and one thing: This can not be included in the official build, at least not without configuration (which is far more trivial) because it would break valid implementations in favor of the invalid NetScreen implementation. Definitely not something I'd like to do.
-
rgerhards - Site Admin
- Posts: 2196
- Joined: Thu Feb 13, 2003 11:57 am
Professional Services Information
- Custom written rsyslog.conf?
- Maintenance Contract?
- Installation support?
Re: Problem with netscreen log
by arv » Tue Dec 02, 2008 2:17 pm
rgerhards wrote:Well, I doubt it works, but why not give it a try? Please report the results back. In any case, that is not a really clean solution. I think this thread has a lot of information why it is not.
It seems to be working. Rsyslog compiles. Messages are splitted corectly.
Question is if it would break something elese.
I haven't got enough time to read whole sources.
I've got no Cisco's to test it's logs against my patch.
Arv.
- arv
- Avarage
- Posts: 12
- Joined: Tue Sep 30, 2008 11:25 am
Re: Problem with netscreen log
by arv » Tue Dec 02, 2008 2:20 pm
rgerhards wrote:oh, and one thing: This can not be included in the official build, at least not without configuration (which is far more trivial) because it would break valid implementations in favor of the invalid NetScreen implementation. Definitely not something I'd like to do.
I perfectly undestand that. However I wonder why '\n' is valid
.- arv
- Avarage
- Posts: 12
- Joined: Tue Sep 30, 2008 11:25 am
Re: Problem with netscreen log
by rgerhards » Tue Dec 02, 2008 2:20 pm
The Cisco patch is far different. There is NO frame terminator at all with Cisco IOS (so it is even more broken then NetScreen). I'll see if there is any side-effect and if I don't spot anything specific, I'll add a config switch (like $DumbNetScreenFraming on ) and whoever enables it must live with any problem that may arise. Sounds indeed like an easy to do thing.
) and whoever enables it must live with any problem that may arise. Sounds indeed like an easy to do thing.-
rgerhards - Site Admin
- Posts: 2196
- Joined: Thu Feb 13, 2003 11:57 am
Re: Problem with netscreen log
by rgerhards » Tue Dec 02, 2008 2:21 pm
arv wrote:rgerhards wrote:oh, and one thing: This can not be included in the official build, at least not without configuration (which is far more trivial) because it would break valid implementations in favor of the invalid NetScreen implementation. Definitely not something I'd like to do.
I perfectly undestand that. However I wonder why '\n' is valid
As always in industry-standards: because everyone (but a few) does it. If you would like to argue based on standards, one may say that RFC 3195 specifies \n as the record terminator in case no other framing is used.
-
rgerhards - Site Admin
- Posts: 2196
- Joined: Thu Feb 13, 2003 11:57 am
Re: Problem with netscreen log
by rgerhards » Wed Dec 10, 2008 2:29 pm
I have now created an "official" patch for this problem. It brings a new directive, from the manual:
The directive was introduced with another, unrelated, new directive (same code base needed to be touched). The patch is available at
http://git.adiscon.com/?p=rsyslog.git;a ... 219eb97a9b
and will be included in 4.3.1, to be released soon. Feedback would be appreciated.
Rainer
rsyslog manual wrote:$InputTCPServerAddtlFrameDelimiter <Delimiter>
This directive permits to specify an additional frame delimiter for plain tcp syslog.
The industry-standard specifies using the LF character as frame delimiter. Some vendors,
notable Juniper in their NetScreen products, use an invalid frame delimiter, in Juniper's
case the NUL character. This directive permits to specify the ASCII value of the delimiter
in question. Please note that this does not guarantee that all wrong implementations can
be cured with this directive. It is not even a sure fix with all versions of NetScreen,
as I suggest the NUL character is the effect of a (common) coding error and thus will
probably go away at some time in the future. But for the time being, the value 0 can
probably be used to make rsyslog handle NetScreen's invalid syslog/tcp framing.
If this doesn't work for you, please do not blame the rsyslog team. Instead file
a bug report with Juniper!
The directive was introduced with another, unrelated, new directive (same code base needed to be touched). The patch is available at
http://git.adiscon.com/?p=rsyslog.git;a ... 219eb97a9b
and will be included in 4.3.1, to be released soon. Feedback would be appreciated.
Rainer
-
rgerhards - Site Admin
- Posts: 2196
- Joined: Thu Feb 13, 2003 11:57 am
Re: Problem with netscreen log
by cosmih » Tue Jun 23, 2009 11:37 am
Hi,
I tried to use the "$InputTCPServerAddtlFrameDelimiter NUL" option into 4.1.7, 4.2.0, 4.3.1 rsyslog version but i have received only error like this
rsyslogd-2010: invalid number [try http://www.rsyslog.com/e/2010 ]
the last error occured in /etc/rsyslog/rsyslog.conf, line 76 (this is the line containing the option from abve)
rsyslogd-2123: CONFIG ERROR: could not interpret master config file '/etc/rsyslog/rsyslog.conf'. [try http://www.rsyslog.com/e/2123 ]
my rsyslog.conf is somethink like this:
I would appreciate some help on this issue because I have several Juniper SSG devices who send the syslog events to a central rsyslog server and UDP transport is not an option.
Thanks,
--
Cosmih
I tried to use the "$InputTCPServerAddtlFrameDelimiter NUL" option into 4.1.7, 4.2.0, 4.3.1 rsyslog version but i have received only error like this
rsyslogd-2010: invalid number [try http://www.rsyslog.com/e/2010 ]
the last error occured in /etc/rsyslog/rsyslog.conf, line 76 (this is the line containing the option from abve)
rsyslogd-2123: CONFIG ERROR: could not interpret master config file '/etc/rsyslog/rsyslog.conf'. [try http://www.rsyslog.com/e/2123 ]
my rsyslog.conf is somethink like this:
$ModLoad immark.so
$ModLoad imuxsock.so
$ModLoad imklog.so
$ModLoad ommysql.so
$ModLoad imtcp.so
$ModLoad imfile.so
$MarkMessagePeriod 43200
$ActionOmmysqlServerPort 5151
$template format-syslog-ng,"INSERT INTO loguri_%fromhost% (host, facility, priority, tag, date, time, program, message) VALUES ('%fromhost%', '%syslogfacility-text%', '%syslogseverity-text%', '%syslogtag%', '%timereported:::date-mysql%', '%timereported:::date-mysql%', '%programname%', '%msg%')", sql
$InputFileName /var/log/audit/audit.log
$InputFileTag auditd:
$InputFileStateFile audit_log
$InputFileSeverity alert
$InputFileFacility kern
$InputRunFileMonitor
$InputFileName /var/log/bash_history/root_history
$InputFileTag root_bash:
$InputFileStateFile root_bash_log
$InputFileSeverity notice
$InputFileFacility user
$InputRunFileMonitor
$InputFileName /var/log/bash_history/user1_history
$InputFileTag user1_bash:
$InputFileStateFile user1_bash_log
$InputFileSeverity notice
$InputFileFacility user
$InputRunFileMonitor
$InputFileName /var/log/bash_history/user2_history
$InputFileTag user2_bash:
$InputFileStateFile user2_bash_log
$InputFileSeverity notice
$InputFileFacility user
$InputRunFileMonitor
$InputFileName /var/log/bash_history/user3_history
$InputFileTag user3_bash:
$InputFileStateFile user3_bash_log
$InputFileSeverity notice
$InputFileFacility user
$InputRunFileMonitor
$InputFileName /var/log/bash_history/user4_history
$InputFileTag user4_bash:
$InputFileStateFile user4_bash_log
$InputFileSeverity notice
$InputFileFacility user
$InputRunFileMonitor
$InputFilePollInterval 10
$WorkDirectory /var/spool/rsyslog
$ActionQueueType LinkedList
$ActionQueueFileName dbq
$ActionResumeRetryCount -1
local7.* /var/log/boot.log;RSYSLOG_FileFormat
mail.* -/var/log/mail/current;RSYSLOG_FileFormat
*.*;mail,news.none >127.0.0.1,rsyslog_db,rsyslog_user,rsyslog_user_pass;format-syslog-ng
*.*;mail,news,cron,local7.none;local6.!info -/var/log/everything/current
$DefaultNetstreamDriver ptcp
$InputTCPServerStreamDriverMode 0
$InputTCPServerStreamDriverAuthMode anon
$InputTCPServerAddtlFrameDelimiter NUL
$InputTCPServerRun 514
$AllowedSender TCP, IP1, IP2, IP3, ... , IP15
I would appreciate some help on this issue because I have several Juniper SSG devices who send the syslog events to a central rsyslog server and UDP transport is not an option.
Thanks,
--
Cosmih
- cosmih
- New
- Posts: 3
- Joined: Tue Jun 23, 2009 11:18 am
Re: Problem with netscreen log
by rgerhards » Tue Jun 23, 2009 11:41 am
I think symbolic names are not supported, so use
$InputTCPServerAddtlFrameDelimiter 0
$InputTCPServerAddtlFrameDelimiter 0
-
rgerhards - Site Admin
- Posts: 2196
- Joined: Thu Feb 13, 2003 11:57 am
Re: Problem with netscreen log
by cosmih » Tue Jun 23, 2009 1:48 pm
I will try it.
However the syslog messages received from the Juniper device are looking like the following (one line):
Are you think that "$InputTCPServerAddtlFrameDelimiter 0" can help me to split the syslog messages?
Thanks,
--
Cosmih
I think symbolic names are not supported, so use
$InputTCPServerAddtlFrameDelimiter 0
However the syslog messages received from the Juniper device are looking like the following (one line):
(2009-06-23 13:46:54)#000<133>fw1.border: NetScreen device_id=fw1.border [Root]system-notification-00531: The system clock was updated from primary NTP server type AAA.BBB.CCC.DDD with an adjustment of 917 ms. Authentication was None. Update mode was Automatic (2009-06-23 13:56:55)#000<133>fw1.border: NetScreen device_id=fw1.border [Root]system-notification-00531: The system clock was updated from primary NTP server type AAA.BBB.CCC.DDD with an adjustment of -78 ms. Authentication was None. Update mode was Automatic
Are you think that "$InputTCPServerAddtlFrameDelimiter 0" can help me to split the syslog messages?
Thanks,
--
Cosmih
- cosmih
- New
- Posts: 3
- Joined: Tue Jun 23, 2009 11:18 am
Re: Problem with netscreen log
by cosmih » Tue Jun 23, 2009 2:39 pm
rgerhards wrote:yes
It works.
Keep the good work going !!!
Thanks,
--
Cosmih
- cosmih
- New
- Posts: 3
- Joined: Tue Jun 23, 2009 11:18 am
Google Ads
28 posts • Page 2 of 2 • 1, 2
Who is online
Users browsing this forum: No registered users and 0 guests
