- VMware Technology Network
- :
- Cloud & SDDC
- :
- VMware Aria
- :
- VMware Aria Operations for Logs Discussions
- :
- Invalid syslog format when forwarding events (RFC-...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Invalid syslog format when forwarding events (RFC-3164 vs RFC-5424)
Hi,
We are trying to forward events from Log Insight to a central syslog server - as syslog. Unfortunately it seems like Log Insight adds a VERSION 1 to the outgoing message, indicating that the message is RFC-5424, while its actually RFC-3164.
The following is a snippet from a TCP-dump on the Log Insight appliance:
185.xx.xx.7 is the Log Insight appliance
185.xx.xx.12 is the central syslog-server
10:41:44.606332 IP 185.xx.xx.6.45876 > 185.xx.xx.7.514: SYSLOG user.info, length: 193
E....U@.@.;..WQ..WQ..4..... <14>Aug 9 12:41:44 mgtnsxman01.xxx.xxx.xxxx.xxxxx.xxx 2016-08-09 12:41:44.605 CEST INFO http-nio-127.0.0.1-7441-exec-163 UserSessionManager:43 - New session: XXXXXXXXXXXXXXXXXXXXXXXXXXX3F506
10:41:44.655030 IP 185.xx.xx.7.60149 > 185.xx.xx.12.514: SYSLOG user.info, length: 194
E...U4@.@....WQ..WR.........<14>1 Aug 9 12:41:44 mgtnsxman01.xxx.xxx.xxxx.xxxxx.xxx 2016-08-09 12:41:44.605 CEST INFO http-nio-127.0.0.1-7441-exec-163 UserSessionManager:43 - New session: XXXXXXXXXXXXXXXXXXXXXXXXXXX3F506
Any reason Log Insight is not just forwarding syslog messages verbatim? Alternatively, convert to RFC-5424 format when forwarding.
Well, even better - fix the originator and have it log in RFC-5424 format in the first place 😉
For syslog messages already in RFC-5424 format, when sent to Log Insight, things seems fine - although, PRI seems to have been changed!?
10:41:43.132566 IP 185.xx.xx.25.46324 > 185.xx.xx.7.514: SYSLOG local0.info, length: 376
E.....@.@....WQ..WQ.......:.<134>1 2016-08-09T10:41:04Z nsx-controller controller - api_request [niciraTag@39961 controller="df8ea526-2811-4260-9410-c0dd2c6db543" cluster="7ae1fa0d-ef26-469d-85ac-abeac48beacd"] ...185.xx.xx.6:56608 admin - [09/Aug/2016:10:41:04 +0000] "GET /ws.v1/control-cluster/node/df8ea526-2811-4260-9410-c0dd2c6db543 HTTP/1.1" 200 850 "-" "Jakarta Commons-HttpClient/3.0" 0.004210
10:41:43.180414 IP 185.xx.xx.7.60149 > 185.xx.xx.12.514: SYSLOG user.info, length: 374
E...U*@.@..n.WQ..WR......~.R<14>1 2016-08-09T10:41:04Z nsx-controller controller - api_request [niciraTag@39961 controller="df8ea526-2811-4260-9410-c0dd2c6db543" cluster="7ae1fa0d-ef26-469d-85ac-abeac48beacd"] ...185.xx.xx.6:56608 admin - [09/Aug/2016:10:41:04 +0000] "GET /ws.v1/control-cluster/node/df8ea526-2811-4260-9410-c0dd2c6db543 HTTP/1.1" 200 850 "-" "Jakarta Commons-HttpClient/3.0" 0.004210
Regards
Claus Albøge