Syslog parsing error in transmission


#1

Currently having a strange parsing error with Cisco ASA logs.

ASA syslogs forwarded to Logstash via syslog-ng, a typical line is like this:

2015-07-31T01:47:35+10:00 10.0.0.25 %ASA-3-313001: Denied ICMP type=3, code=3 from 58.96.9.88 on interface outside

Logstash listens on a TCP port for the forwarded message.

If I send the logs to Logstash with netcat e.g,"cat asa.logs | nc -vv -n logstash_host 1234", then everything works fine. But if I use syslog-ng to forward (all other syslogs work fine this way) then I get a _grokparsefailure.

I can't work out what the issue is, almost like some extra character is getting added in transit.Can't see why the ASA logs would be different to any other.


(Magnus B├Ąck) #2

I'd use tcpdump to capture exactly what's sent over the wire. There's obviously some kind of difference.


(Don Click) #3

make any progress here? interested in your results.


(system) #4