<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.5512" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2>Hello everyone,</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>I am currently workin on setting up a debian box as
a central syslog server.<BR>One goal of this server is to filter syslog messages
into different folders based on what server they were sent by. <BR>This works as
expected with all devices EXCEPT for my cisco wireless controllers.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>When they log:<BR><STRONG><FONT
color=#0000ff>[CODE]</FONT></STRONG></FONT></DIV>
<DIV><FONT face=Arial size=2><STRONG><FONT color=#0000ff>Jun 02 20:52:29.063
1x_auth_pae.c:2488 DOT1X-3-MAX_EAP_RETRIES: Max EAP identity request retries
(21) exceeded for client 00:19:d2:78:ee:8f</FONT></STRONG></FONT></DIV><FONT
face=Arial size=2><STRONG><FONT color=#0000ff>
<DIV><BR>Jun 02 20:52:09.663 1x_auth_pae.c:2488 DOT1X-3-MAX_EAP_RETRIES: Max EAP
identity request retries (21) exceeded for client 00:13:e8:d9:9d:eb</DIV>
<DIV><BR>Jun 02 20:50:49.064 1x_auth_pae.c:2488 DOT1X-3-MAX_EAP_RETRIES: Max EAP
identity request retries (21) exceeded for client 00:19:d2:78:ee:8f</DIV>
<DIV>[/CODE]</FONT></STRONG></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>My syslog-ng, rather than filtering these into a
folder given by the wireless controllers ip/hostname, creates folders named .063
and .064.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>It seems like syslog-ng is reading the microsecond
portion of the timestamp as the hostname! After sniffing some other syslog
messages, I noticed that ONLY these cisco devices have timestamps that include
microseconds. </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Does anyone have any idea how to work around this
and filter the cisco messages by hostname? Someway to truncate the timestamp or
force it to look further to find the actual hostname?</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Just FYI I will post the relevant portion of my
syslog-ng.conf:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><STRONG>[CODE]</STRONG></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><STRONG>source remote_src { udp();
tcp(); };<BR>destination remote_syslog {
<BR> file(<BR> "/usr/local/syslog/$HOST/$YEAR/$MONTH/$YEAR-$MONTH-$DAY.log"
<BR> owner(root) <BR> group(root)
<BR> perm(0644) <BR> dir_perm(0755)
<BR> create_dirs(yes)<BR> );<BR>};</STRONG></FONT></DIV>
<DIV><STRONG><FONT color=#0000ff></FONT></STRONG> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><STRONG>### added 4-16-08 all three
wireless controllers destinations<BR>### manually creating directory
names</STRONG></FONT></DIV>
<DIV><STRONG><FONT color=#0000ff></FONT></STRONG> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><STRONG>destination wir-c-syd-3-00
{<BR> file(<BR> "/usr/local/syslog/wir-c-syd-3-00/$YEAR/$MONTH/$YEAR-$MONTH-$DAY.log"<BR> owner(root)<BR> group(root)<BR> perm(0644)<BR> dir_perm(0755)<BR> create_dirs(yes)<BR> );<BR>};</STRONG></FONT></DIV>
<DIV><STRONG><FONT color=#0000ff></FONT></STRONG> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><STRONG>filter wir-c-syd-3-00 {
netmask(172.25.198.10/32); };</STRONG></FONT></DIV>
<DIV><STRONG><FONT color=#0000ff></FONT></STRONG> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><STRONG>log
{<BR> source(remote_src);<BR> filter(wir-c-syd-3-00);<BR> destination(wir-c-syd-3-00);<BR>};</STRONG></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff
size=2><STRONG>[/CODE]</STRONG></FONT></DIV></BODY></HTML>