Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 696
  • Last Modified:

Line feed (0x0A) character in PIX syslog messages

Hi experts,

We use a Cisco PIX-535, soft version 7.0(4)
The issue is that in all syslog messages sent by this PIX there is an extra line feed character (0x0A).
Like a message end delimiter.
But syslog RFC states that there is no need for message ending delimiter.
This extra line feed causing us much trouble and like to get rid of it.

Can somebody confirm is this a normal behaviour for a Cisco PIX?
Is there a command to change this behaviour?
Or this is just a somekind of "bug"?

Thanks.
Laszlo
0
klaszlo
Asked:
klaszlo
  • 4
  • 3
1 Solution
 
rexxusCommented:
There is a known bug in 7.0(4) for malformed packets, whilst the description of the bug doesn't exactly match what you're seeing, possibility that it may be.

Fix for the malform syslog messages is in PIXOS 7.0(5.1) and above.  Not terribly elegant fix though.
0
 
klaszloAuthor Commented:
Thank you Rexxus.
I understand from tour answer that this behaviour is not normal for PIX OS 7.0(4) syslog messages.

Regarding the "bug" you suggested I found something only here:
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix706rn.html 
There is a reference to a resolved caveat in PIX OS 7.0(6):
"CSCsd82355 = Malformed syslog packets may be generated. "
So an upgrade to 7.0(6) could be a solution?
0
 
rexxusCommented:
Yes, I didn't include a URL in my previous reply as wasn't sure if you had partner level access to bugtracker.

But yes an upgrade may be the only fix
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 
klaszloAuthor Commented:
An update:
Cisco ASA with OS 8.0.3 is also sending a LF character at the end of each syslog message.
So the upgrade from 7.0(4) to newer version may not be a solution.

This extra LF cause the syslog parser to treat each message as 2 messages, one useful and one empty useless. And the parser is parsing the empty messages too, loosing time.
At high rate of syslog messages this cause latency.
0
 
rexxusCommented:
I'm out of ideas.

If you have a service level agreement with a cisco partner or cisco, I'd look at raising a TAC case and escalating it as an (undiscovered/undisclosed) IOS bug
0
 
klaszloAuthor Commented:
I understood that Cisco use various forms of syslog messages.
For example syslog messages coming from Cisco switches and routers do not have any LF at their end.
But Cisco PIX and ASA do have a LF.
So this is "normal" behaviour.
Case closed :-)
0
 
klaszloAuthor Commented:
Thank you.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now