Bug #13449
open
Wrong logging if ICMP "Port unreachable"
0%
Description
It seems to me that there is a comma missing from these type of logs:
filterlog82349: 143,,,1611338923,vtnet2,match,pass,in,4,0xc0,,64,37963,0,none,1,icmp,356,10.3.0.3,10.3.0.252,unreachport,10.3.0.3,UDP, 68336
With "tcpdump":
10.3.0.3 > 10.3.0.252: ICMP 10.3.0.3 udp port 68 unreachable, length 336
So, the log should look like this:
filterlog82349: 143,,,1611338923,vtnet2,match,pass,in,4,0xc0,,64,37963,0,none,1,icmp,356,10.3.0.3,10.3.0.252,unreachport,10.3.0.3,UDP, 68,336
Otherwise, a parsing of the log is not possible
See also bug #7476.
Translated with www.DeepL.com/Translator (free version)
Updated by Kris Phillips about 2 years ago
Hello Johannes,
Are you viewing the filter.log file, viewing syslog data, or something else here? I'm looking at the filter.log file and, unless I'm missing something here, I don't see this behavior there.
Updated by Johannes Wanink about 2 years ago
Kris Phillips wrote in #note-1:
Hello Johannes,
Are you viewing the filter.log file, viewing syslog data, or something else here? I'm looking at the filter.log file and, unless I'm missing something here, I don't see this behavior there.
Hi Kris,
I got the logevent directly from the filter.log file.
(With a Splunk forwarder and also directly on the console, I see these entries).
I also noticed it only with the ICMP "port unreachbale" events at the moment.
[2.6.0-RELEASE][root@box1]/var/log: grep "unreachport" filter.log Aug 29 11:18:08 gw01-master filterlog[82349]: 143,,,1611338923,vtnet2.400,match,pass,in,4,0xc0,,64,50102,0,none,1,icmp,356,10.3.0.5,10.3.0.252,unreachport,10.3.0.5,UDP, 68336