Syslog-ng loggen

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












Here's the situation:



I have syslog-ng version 3.15. I've noticed that when using TLS and non-TLS transmission, the logs are different.



I have noticed that, when sending logs using the loggen -i (non-TLS, old RFC3164 format) command, I receive the following messages:



Jun 26 18:19:39 localhost prg00000[1234]: seq: 0000000000, thread: 0000, runid: 1530026379, stamp: 2018-06-26T18:19:39 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD


When using the loggen -i -P (non-TLS, newer RFC5424 format) command the messages look like this:



Jun 26 18:19:28 192.168.1.10 256 <38>1 2018-06-26T18:19:26+03:00 localhost prg00000 1234 - - <U+FEFF>seq: 0000000000, thread: 0000, runid: 1530026366, stamp: 2018-06-26T18:19:26 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPAD


When using the TLS loggen -i -U (TLS, old RFC3164 format) command it's not working:



[root@localhost ~]# loggen -i -U 192.168.1.7 6514
Send error Connection reset by peer, results may be skewed.
average rate = 606.59 msg/sec, count=7, time=0.011, (average) msg size=256, bandwidth=151.56 kB/sec


When using the TLS loggen -i -P -U (TLS, newer RFC5424 format) command the logs look like this:



Jun 26 18:19:13 localhost prg00000[1234]: seq: 0000000000, thread: 0000, runid: 1530026353, stamp: 2018-06-26T18:19:13 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPAD


I know the $HOST macro uses the second column to split the logs by host. Having localhost in the second column when using TLS instead of the IP-address can be frustrating when switching between TLS and non-TLS. Can this situation be avoided somehow?







share|improve this question

















  • 1




    You need to make it clear what situation that is. This question is largely inpenetrable to readers. I know what you are getting at and even I had to read the question twice.
    – JdeBP
    Jun 26 at 23:48














up vote
0
down vote

favorite












Here's the situation:



I have syslog-ng version 3.15. I've noticed that when using TLS and non-TLS transmission, the logs are different.



I have noticed that, when sending logs using the loggen -i (non-TLS, old RFC3164 format) command, I receive the following messages:



Jun 26 18:19:39 localhost prg00000[1234]: seq: 0000000000, thread: 0000, runid: 1530026379, stamp: 2018-06-26T18:19:39 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD


When using the loggen -i -P (non-TLS, newer RFC5424 format) command the messages look like this:



Jun 26 18:19:28 192.168.1.10 256 <38>1 2018-06-26T18:19:26+03:00 localhost prg00000 1234 - - <U+FEFF>seq: 0000000000, thread: 0000, runid: 1530026366, stamp: 2018-06-26T18:19:26 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPAD


When using the TLS loggen -i -U (TLS, old RFC3164 format) command it's not working:



[root@localhost ~]# loggen -i -U 192.168.1.7 6514
Send error Connection reset by peer, results may be skewed.
average rate = 606.59 msg/sec, count=7, time=0.011, (average) msg size=256, bandwidth=151.56 kB/sec


When using the TLS loggen -i -P -U (TLS, newer RFC5424 format) command the logs look like this:



Jun 26 18:19:13 localhost prg00000[1234]: seq: 0000000000, thread: 0000, runid: 1530026353, stamp: 2018-06-26T18:19:13 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPAD


I know the $HOST macro uses the second column to split the logs by host. Having localhost in the second column when using TLS instead of the IP-address can be frustrating when switching between TLS and non-TLS. Can this situation be avoided somehow?







share|improve this question

















  • 1




    You need to make it clear what situation that is. This question is largely inpenetrable to readers. I know what you are getting at and even I had to read the question twice.
    – JdeBP
    Jun 26 at 23:48












up vote
0
down vote

favorite









up vote
0
down vote

favorite











Here's the situation:



I have syslog-ng version 3.15. I've noticed that when using TLS and non-TLS transmission, the logs are different.



I have noticed that, when sending logs using the loggen -i (non-TLS, old RFC3164 format) command, I receive the following messages:



Jun 26 18:19:39 localhost prg00000[1234]: seq: 0000000000, thread: 0000, runid: 1530026379, stamp: 2018-06-26T18:19:39 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD


When using the loggen -i -P (non-TLS, newer RFC5424 format) command the messages look like this:



Jun 26 18:19:28 192.168.1.10 256 <38>1 2018-06-26T18:19:26+03:00 localhost prg00000 1234 - - <U+FEFF>seq: 0000000000, thread: 0000, runid: 1530026366, stamp: 2018-06-26T18:19:26 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPAD


When using the TLS loggen -i -U (TLS, old RFC3164 format) command it's not working:



[root@localhost ~]# loggen -i -U 192.168.1.7 6514
Send error Connection reset by peer, results may be skewed.
average rate = 606.59 msg/sec, count=7, time=0.011, (average) msg size=256, bandwidth=151.56 kB/sec


When using the TLS loggen -i -P -U (TLS, newer RFC5424 format) command the logs look like this:



Jun 26 18:19:13 localhost prg00000[1234]: seq: 0000000000, thread: 0000, runid: 1530026353, stamp: 2018-06-26T18:19:13 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPAD


I know the $HOST macro uses the second column to split the logs by host. Having localhost in the second column when using TLS instead of the IP-address can be frustrating when switching between TLS and non-TLS. Can this situation be avoided somehow?







share|improve this question













Here's the situation:



I have syslog-ng version 3.15. I've noticed that when using TLS and non-TLS transmission, the logs are different.



I have noticed that, when sending logs using the loggen -i (non-TLS, old RFC3164 format) command, I receive the following messages:



Jun 26 18:19:39 localhost prg00000[1234]: seq: 0000000000, thread: 0000, runid: 1530026379, stamp: 2018-06-26T18:19:39 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD


When using the loggen -i -P (non-TLS, newer RFC5424 format) command the messages look like this:



Jun 26 18:19:28 192.168.1.10 256 <38>1 2018-06-26T18:19:26+03:00 localhost prg00000 1234 - - <U+FEFF>seq: 0000000000, thread: 0000, runid: 1530026366, stamp: 2018-06-26T18:19:26 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPAD


When using the TLS loggen -i -U (TLS, old RFC3164 format) command it's not working:



[root@localhost ~]# loggen -i -U 192.168.1.7 6514
Send error Connection reset by peer, results may be skewed.
average rate = 606.59 msg/sec, count=7, time=0.011, (average) msg size=256, bandwidth=151.56 kB/sec


When using the TLS loggen -i -P -U (TLS, newer RFC5424 format) command the logs look like this:



Jun 26 18:19:13 localhost prg00000[1234]: seq: 0000000000, thread: 0000, runid: 1530026353, stamp: 2018-06-26T18:19:13 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPAD


I know the $HOST macro uses the second column to split the logs by host. Having localhost in the second column when using TLS instead of the IP-address can be frustrating when switching between TLS and non-TLS. Can this situation be avoided somehow?









share|improve this question












share|improve this question




share|improve this question








edited Jun 27 at 11:48









JdeBP

27.9k459133




27.9k459133









asked Jun 26 at 15:37









Aiurea Adica tot YO

14




14







  • 1




    You need to make it clear what situation that is. This question is largely inpenetrable to readers. I know what you are getting at and even I had to read the question twice.
    – JdeBP
    Jun 26 at 23:48












  • 1




    You need to make it clear what situation that is. This question is largely inpenetrable to readers. I know what you are getting at and even I had to read the question twice.
    – JdeBP
    Jun 26 at 23:48







1




1




You need to make it clear what situation that is. This question is largely inpenetrable to readers. I know what you are getting at and even I had to read the question twice.
– JdeBP
Jun 26 at 23:48




You need to make it clear what situation that is. This question is largely inpenetrable to readers. I know what you are getting at and even I had to read the question twice.
– JdeBP
Jun 26 at 23:48










1 Answer
1






active

oldest

votes

















up vote
0
down vote



accepted










I found out that the problem is framing. syslog() driver in syslog-ng and loggen as well sends RFC5424 formatted messages with framing: message length + msg
E.g.
"256 <13>1 2018-07-09T16:23:25+02:00 localhost ...."
tcp() or network() driver on the other hand does not expect framing, although it can parse RFC5424 formatted messages(when flags(syslog-protocol) option is used).



The solution is to disable framing in loggen (use the "-F" option of loggen) and use "flags(syslog-protocol)" option in your network() source.



However this only solves your problem with loggen, if your log source sends its log messages with framing it will cause the same problem with your tcp() source driver.



Using syslog() source driver would handle (and expect!) framing from loggen or syslog().



Btw let me inform you, that the tcp(), upd() drivers are obsolete and it is recommended to use the newer network() driver as per syslog-ng's documentation.






share|improve this answer





















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );








     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f452042%2fsyslog-ng-loggen%23new-answer', 'question_page');

    );

    Post as a guest






























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote



    accepted










    I found out that the problem is framing. syslog() driver in syslog-ng and loggen as well sends RFC5424 formatted messages with framing: message length + msg
    E.g.
    "256 <13>1 2018-07-09T16:23:25+02:00 localhost ...."
    tcp() or network() driver on the other hand does not expect framing, although it can parse RFC5424 formatted messages(when flags(syslog-protocol) option is used).



    The solution is to disable framing in loggen (use the "-F" option of loggen) and use "flags(syslog-protocol)" option in your network() source.



    However this only solves your problem with loggen, if your log source sends its log messages with framing it will cause the same problem with your tcp() source driver.



    Using syslog() source driver would handle (and expect!) framing from loggen or syslog().



    Btw let me inform you, that the tcp(), upd() drivers are obsolete and it is recommended to use the newer network() driver as per syslog-ng's documentation.






    share|improve this answer

























      up vote
      0
      down vote



      accepted










      I found out that the problem is framing. syslog() driver in syslog-ng and loggen as well sends RFC5424 formatted messages with framing: message length + msg
      E.g.
      "256 <13>1 2018-07-09T16:23:25+02:00 localhost ...."
      tcp() or network() driver on the other hand does not expect framing, although it can parse RFC5424 formatted messages(when flags(syslog-protocol) option is used).



      The solution is to disable framing in loggen (use the "-F" option of loggen) and use "flags(syslog-protocol)" option in your network() source.



      However this only solves your problem with loggen, if your log source sends its log messages with framing it will cause the same problem with your tcp() source driver.



      Using syslog() source driver would handle (and expect!) framing from loggen or syslog().



      Btw let me inform you, that the tcp(), upd() drivers are obsolete and it is recommended to use the newer network() driver as per syslog-ng's documentation.






      share|improve this answer























        up vote
        0
        down vote



        accepted







        up vote
        0
        down vote



        accepted






        I found out that the problem is framing. syslog() driver in syslog-ng and loggen as well sends RFC5424 formatted messages with framing: message length + msg
        E.g.
        "256 <13>1 2018-07-09T16:23:25+02:00 localhost ...."
        tcp() or network() driver on the other hand does not expect framing, although it can parse RFC5424 formatted messages(when flags(syslog-protocol) option is used).



        The solution is to disable framing in loggen (use the "-F" option of loggen) and use "flags(syslog-protocol)" option in your network() source.



        However this only solves your problem with loggen, if your log source sends its log messages with framing it will cause the same problem with your tcp() source driver.



        Using syslog() source driver would handle (and expect!) framing from loggen or syslog().



        Btw let me inform you, that the tcp(), upd() drivers are obsolete and it is recommended to use the newer network() driver as per syslog-ng's documentation.






        share|improve this answer













        I found out that the problem is framing. syslog() driver in syslog-ng and loggen as well sends RFC5424 formatted messages with framing: message length + msg
        E.g.
        "256 <13>1 2018-07-09T16:23:25+02:00 localhost ...."
        tcp() or network() driver on the other hand does not expect framing, although it can parse RFC5424 formatted messages(when flags(syslog-protocol) option is used).



        The solution is to disable framing in loggen (use the "-F" option of loggen) and use "flags(syslog-protocol)" option in your network() source.



        However this only solves your problem with loggen, if your log source sends its log messages with framing it will cause the same problem with your tcp() source driver.



        Using syslog() source driver would handle (and expect!) framing from loggen or syslog().



        Btw let me inform you, that the tcp(), upd() drivers are obsolete and it is recommended to use the newer network() driver as per syslog-ng's documentation.







        share|improve this answer













        share|improve this answer



        share|improve this answer











        answered Jul 17 at 7:46









        Aiurea Adica tot YO

        14




        14






















             

            draft saved


            draft discarded


























             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f452042%2fsyslog-ng-loggen%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?