Line feed (0x0A) character in PIX syslog messages

Hi experts,

We use a Cisco PIX-535, soft version 7.0(4)
The issue is that in all syslog messages sent by this PIX there is an extra line feed character (0x0A).
Like a message end delimiter.
But syslog RFC states that there is no need for message ending delimiter.
This extra line feed causing us much trouble and like to get rid of it.

Can somebody confirm is this a normal behaviour for a Cisco PIX?
Is there a command to change this behaviour?
Or this is just a somekind of "bug"?

Thanks.
Laszlo
LVL 1
klaszloAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rexxusCommented:
There is a known bug in 7.0(4) for malformed packets, whilst the description of the bug doesn't exactly match what you're seeing, possibility that it may be.

Fix for the malform syslog messages is in PIXOS 7.0(5.1) and above.  Not terribly elegant fix though.
0
klaszloAuthor Commented:
Thank you Rexxus.
I understand from tour answer that this behaviour is not normal for PIX OS 7.0(4) syslog messages.

Regarding the "bug" you suggested I found something only here:
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix706rn.html 
There is a reference to a resolved caveat in PIX OS 7.0(6):
"CSCsd82355 = Malformed syslog packets may be generated. "
So an upgrade to 7.0(6) could be a solution?
0
rexxusCommented:
Yes, I didn't include a URL in my previous reply as wasn't sure if you had partner level access to bugtracker.

But yes an upgrade may be the only fix
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

klaszloAuthor Commented:
An update:
Cisco ASA with OS 8.0.3 is also sending a LF character at the end of each syslog message.
So the upgrade from 7.0(4) to newer version may not be a solution.

This extra LF cause the syslog parser to treat each message as 2 messages, one useful and one empty useless. And the parser is parsing the empty messages too, loosing time.
At high rate of syslog messages this cause latency.
0
rexxusCommented:
I'm out of ideas.

If you have a service level agreement with a cisco partner or cisco, I'd look at raising a TAC case and escalating it as an (undiscovered/undisclosed) IOS bug
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
klaszloAuthor Commented:
I understood that Cisco use various forms of syslog messages.
For example syslog messages coming from Cisco switches and routers do not have any LF at their end.
But Cisco PIX and ASA do have a LF.
So this is "normal" behaviour.
Case closed :-)
0
klaszloAuthor Commented:
Thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.