戻る
-
タイトル
Fortinet Appliances and Syslog-NG -
説明
Certain Fortinet appliances send logs in a way that causes Syslog-NG to interpret many log messages as 1 single message. -
原因
Certain Fortinet appliances do not conform to RFC5424 or RFC3164, and when they send log messages to Syslog-NG, they look like this:
814 <189>date=2023-03-16 time=16:25:06
A log message that complies with RFC5424 or RFC3164 looks like this:
78 <46>1 2023-04-11T14:24:51-04:00
The first log message is missing the required frames, and the second message has the proper frames. Without the framing, Syslog-NG accepts a long string of messages, and then relays all of those messages as 1 single message which gets truncated. If the Syslog-NG relay is forwarding to a Syslog-NG Store Box, Google PubSub, or some other destination, that 1 single message will be displayed in a way that makes looking for specific data extremely difficult. If the relay is sending to an SSB, the data will not be displayed properly within the different fields. -
対策
In order to fix this, change the log format of the Fortinet appliance to RFC5424, which will send the log messages to Syslog-NG with the proper framing, thus preventing many messages from being sent from the relay as 1 single message.