<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2658.34">
<TITLE>RE: [syslog-ng] (no subject)</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>I ran into a similar issue with Netcool from syslog-ng, thinking the microsecond portion of the message was the hostname. What we found out is that there is a bug in the WCs. If you upgrade your WCs, you will see the hostnames coming in with your syslog messages (which you don't currently get, hence why your system is not working as expected). Hope that helps!!</FONT></P>
<P><FONT SIZE=2>Chris Ivey</FONT>
</P>
<P><FONT SIZE=2>Affiliated Computer Services</FONT>
<BR><FONT SIZE=2>Enterprise Management Integration Services</FONT>
<BR><FONT SIZE=2>Infrastructure Management Senior Analyst</FONT>
</P>
<P><FONT SIZE=2>chris.ivey@acs-inc.com</FONT>
</P>
<P><FONT SIZE=2>"I have not failed, I have simply found 10,000 ways which do not work!" -- Thomas Edison</FONT>
<BR><FONT SIZE=2>"When you find yourself in a hole, the best thing to do is stop digging!" -- Nick Stokes</FONT>
<BR><FONT SIZE=2>"I reject your reality, and substitute my own!" -- Adam Savage</FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: syslog-ng-bounces@lists.balabit.hu [<A HREF="mailto:syslog-ng-bounces@lists.balabit.hu">mailto:syslog-ng-bounces@lists.balabit.hu</A>] On Behalf Of chris packham</FONT>
<BR><FONT SIZE=2>Sent: Tuesday, June 03, 2008 4:59 PM</FONT>
<BR><FONT SIZE=2>To: syslog-ng@lists.balabit.hu</FONT>
<BR><FONT SIZE=2>Subject: Re: [syslog-ng] (no subject)</FONT>
</P>
<P><FONT SIZE=2>What version of syslog-ng does your distro use? (run syslog-ng --version</FONT>
<BR><FONT SIZE=2>to find out)</FONT>
</P>
<P><FONT SIZE=2>>From looking at the source code history support for this Cisco extension</FONT>
<BR><FONT SIZE=2>was added in v2.0.5. I haven't got a Cisco device handy so I can't</FONT>
<BR><FONT SIZE=2>confirm that it is working but there is code to deal with the fraction</FONT>
<BR><FONT SIZE=2>of a second scenario.</FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Andy Kanyer <AKanyer@directs.com></FONT>
<BR><FONT SIZE=2>Reply-To: Syslog-ng users' and developers' mailing list</FONT>
<BR><FONT SIZE=2><syslog-ng@lists.balabit.hu></FONT>
<BR><FONT SIZE=2>To: syslog-ng@lists.balabit.hu</FONT>
<BR><FONT SIZE=2>Subject: [syslog-ng] (no subject)</FONT>
<BR><FONT SIZE=2>Date: Tue, 3 Jun 2008 09:16:30 -0500</FONT>
</P>
<P><FONT SIZE=2>Hello everyone,</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>I am currently workin on setting up a debian box as a central syslog</FONT>
<BR><FONT SIZE=2>server.</FONT>
<BR><FONT SIZE=2>One goal of this server is to filter syslog messages into different</FONT>
<BR><FONT SIZE=2>folders based on what server they were sent by. </FONT>
<BR><FONT SIZE=2>This works as expected with all devices EXCEPT for my cisco wireless</FONT>
<BR><FONT SIZE=2>controllers.</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>When they log:</FONT>
<BR><FONT SIZE=2>[CODE]</FONT>
<BR><FONT SIZE=2>Jun 02 20:52:29.063 1x_auth_pae.c:2488 DOT1X-3-MAX_EAP_RETRIES: Max EAP</FONT>
<BR><FONT SIZE=2>identity request retries (21) exceeded for client 00:19:d2:78:ee:8f</FONT>
</P>
<P><FONT SIZE=2>Jun 02 20:52:09.663 1x_auth_pae.c:2488 DOT1X-3-MAX_EAP_RETRIES: Max EAP</FONT>
<BR><FONT SIZE=2>identity request retries (21) exceeded for client 00:13:e8:d9:9d:eb</FONT>
</P>
<P><FONT SIZE=2>Jun 02 20:50:49.064 1x_auth_pae.c:2488 DOT1X-3-MAX_EAP_RETRIES: Max EAP</FONT>
<BR><FONT SIZE=2>identity request retries (21) exceeded for client 00:19:d2:78:ee:8f</FONT>
<BR><FONT SIZE=2>[/CODE]</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>My syslog-ng, rather than filtering these into a folder given by the</FONT>
<BR><FONT SIZE=2>wireless controllers ip/hostname, creates folders named .063 and .064.</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>It seems like syslog-ng is reading the microsecond portion of the</FONT>
<BR><FONT SIZE=2>timestamp as the hostname! After sniffing some other syslog messages, I</FONT>
<BR><FONT SIZE=2>noticed that ONLY these cisco devices have timestamps that include</FONT>
<BR><FONT SIZE=2>microseconds. </FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>Does anyone have any idea how to work around this and filter the cisco</FONT>
<BR><FONT SIZE=2>messages by hostname? Someway to truncate the timestamp or force it to</FONT>
<BR><FONT SIZE=2>look further to find the actual hostname?</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>Just FYI I will post the relevant portion of my syslog-ng.conf:</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>[CODE]</FONT>
<BR><FONT SIZE=2>source remote_src { udp(); tcp(); };</FONT>
<BR><FONT SIZE=2>destination remote_syslog { </FONT>
<BR><FONT SIZE=2> file(</FONT>
<BR><FONT SIZE=2> "/usr/local/syslog/$HOST/$YEAR/$MONTH/$YEAR-$MONTH-$DAY.log" </FONT>
<BR><FONT SIZE=2> owner(root) </FONT>
<BR><FONT SIZE=2> group(root) </FONT>
<BR><FONT SIZE=2> perm(0644) </FONT>
<BR><FONT SIZE=2> dir_perm(0755) </FONT>
<BR><FONT SIZE=2> create_dirs(yes)</FONT>
<BR><FONT SIZE=2> );</FONT>
<BR><FONT SIZE=2>};</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>### added 4-16-08 all three wireless controllers destinations</FONT>
<BR><FONT SIZE=2>### manually creating directory names</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>destination wir-c-syd-3-00 {</FONT>
<BR><FONT SIZE=2> file(</FONT>
<BR><FONT SIZE=2> "/usr/local/syslog/wir-c-syd-3-00/$YEAR/$MONTH/$YEAR-$MONTH-$DAY.log"</FONT>
<BR><FONT SIZE=2> owner(root)</FONT>
<BR><FONT SIZE=2> group(root)</FONT>
<BR><FONT SIZE=2> perm(0644)</FONT>
<BR><FONT SIZE=2> dir_perm(0755)</FONT>
<BR><FONT SIZE=2> create_dirs(yes)</FONT>
<BR><FONT SIZE=2> );</FONT>
<BR><FONT SIZE=2>};</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>filter wir-c-syd-3-00 { netmask(172.25.198.10/32); };</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>log {</FONT>
<BR><FONT SIZE=2> source(remote_src);</FONT>
<BR><FONT SIZE=2> filter(wir-c-syd-3-00);</FONT>
<BR><FONT SIZE=2> destination(wir-c-syd-3-00);</FONT>
<BR><FONT SIZE=2>};</FONT>
<BR><FONT SIZE=2>[/CODE]</FONT>
<BR><FONT SIZE=2>______________________________________________________________________________</FONT>
<BR><FONT SIZE=2>Member info: <A HREF="https://lists.balabit.hu/mailman/listinfo/syslog-ng" TARGET="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</A></FONT>
<BR><FONT SIZE=2>Documentation: <A HREF="http://www.balabit.com/support/documentation/?product=syslog-ng" TARGET="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</A></FONT>
<BR><FONT SIZE=2>FAQ: <A HREF="http://www.campin.net/syslog-ng/faq.html" TARGET="_blank">http://www.campin.net/syslog-ng/faq.html</A></FONT>
</P>
<BR>
<P><FONT SIZE=2>______________________________________________________________________________</FONT>
<BR><FONT SIZE=2>Member info: <A HREF="https://lists.balabit.hu/mailman/listinfo/syslog-ng" TARGET="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</A></FONT>
<BR><FONT SIZE=2>Documentation: <A HREF="http://www.balabit.com/support/documentation/?product=syslog-ng" TARGET="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</A></FONT>
<BR><FONT SIZE=2>FAQ: <A HREF="http://www.campin.net/syslog-ng/faq.html" TARGET="_blank">http://www.campin.net/syslog-ng/faq.html</A></FONT>
</P>
</BODY>
</HTML>