Mailing List Archive

> http://kb.monitorware.com/tcp-syslog-fill-s-up-buffer-and-doesn-t-log-single-events-t8705.html

It would seem they're using some version of IOS 12.3 or 12.4; the
'transport X' predicate was introduced some time in the prior but not
documented until the latter. It would be good to know precisely what
version they are running for reference anyway.

For all I can tell (not having set up a test env myself), it would
seem that just because one indicates TCP as the transport, the
underlying engine doesn't change its semantics and remains at the
UDP-esque 'one packet per message'. For that matter, I see references
specifically to RFC3164 as opposed to 3195. Leave it to Cisco...

> I am not an IOS guy, so I would appreciate if someone could drop me the
> right configuration for the routers. Actually, I wonder that they do not
> seem to do that by default. As far as I remember, this has never been an
> issue. I have limited personal experience with PIX, which terminated
> messages correct by default.
:) My primary experience is with PIX as well. Looks like the two
primary options are to use 'transport beep' [1] (Cisco's reference to
RFC3195) or to use an ESM filter [2] to add newlines.

[1] http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a00807883c3.html
[2] http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_esm.html
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog

> > http://kb.monitorware.com/tcp-syslog-fill-s-up-buffer-and-doesn-t-
> log-single-events-t8705.html
>
> It would seem they're using some version of IOS 12.3 or 12.4; the
> 'transport X' predicate was introduced some time in the prior but not
> documented until the latter. It would be good to know precisely what
> version they are running for reference anyway.
>
> For all I can tell (not having set up a test env myself), it would
> seem that just because one indicates TCP as the transport, the
> underlying engine doesn't change its semantics and remains at the
> UDP-esque 'one packet per message'. For that matter, I see references
> specifically to RFC3164 as opposed to 3195. Leave it to Cisco...

Quick follow-up: I am working with them, hope to get some results out of
this conversation. As this bug seems to actually exist in IOS and lots
of IOS are rolled out, I'll try to do a work-around, at least if I can
convince myself that it will work in at least many cases ;)

Rainer
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog

> Quick follow-up: I am working with them, hope to get some results out of
> this conversation. As this bug seems to actually exist in IOS and lots
> of IOS are rolled out, I'll try to do a work-around, at least if I can
> convince myself that it will work in at least many cases ;)

I've been watching the thread. Seems like some people have adopted a
workaround based on the signature at the beginning of the Cisco log
entries, but that's pretty obviously subpar - their switching gear
doesn't seem to add those, at least on the 12.1 2950 I test against.
Sorry I don't have much else to offer here - like the OP noted, all my
logging has been on the LAN, and trusted segments to boot. I've seen
setups where remote routers logged over IPSEC or GRE tunnels, but
those were still using UDP.


RB
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog

> > Quick follow-up: I am working with them, hope to get some results
out
> of
> > this conversation. As this bug seems to actually exist in IOS and
> lots
> > of IOS are rolled out, I'll try to do a work-around, at least if I
> can
> > convince myself that it will work in at least many cases ;)
>
> I've been watching the thread. Seems like some people have adopted a
> workaround based on the signature at the beginning of the Cisco log
> entries, but that's pretty obviously subpar - their switching gear
> doesn't seem to add those, at least on the 12.1 2950 I test against.
> Sorry I don't have much else to offer here

You offered a lot. You post helped track down the problem source and
made make go the right direction :) I think the best thing now is to
wait for what the Cisco folks come up with. And if that takes too long,
I'll add an $WorkAroundCrazyTCPBug directive and see if it works out ;)

> - like the OP noted, all my
> logging has been on the LAN, and trusted segments to boot. I've seen
> setups where remote routers logged over IPSEC or GRE tunnels, but
> those were still using UDP.

Rainer
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog