<div dir="ltr">Sorry, I should have specified that.<div><br></div><div>Not only does the hostname resolve to the correct IP, I created an entry in the hosts file for this device.</div><div><br></div><div>Thanks!</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 6, 2015 at 12:30 PM, Sandor Geller <span dir="ltr"><<a href="mailto:sandor.geller@ericsson.com" target="_blank">sandor.geller@ericsson.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi!<br>
<br>
The only macro in the destination which isn't generated by syslog-ng<br>
itself is $HOST as you are using DNS for hostname resolution. Could you<br>
doublecheck that the source IP address of the originating device<br>
resolves properly to a hostname and the given hostname is unique?<br>
<br>
hth,<br>
<br>
Sandor<br>
<div><div class="h5"><br>
On 03/06/2015 05:56 PM, Brandon Kendall wrote:<br>
> Hello everyone.<br>
><br>
> I have a centralized syslog-ng server running that collect syslog<br>
> messages from Cisco firewalls. The .conf file is very straightforward<br>
> and contains the following:<br>
><br>
> options {<br>
> use_fqdn(no);<br>
> use_dns(yes);<br>
> dns_cache(yes);<br>
> dns_cache_size(2000);<br>
> dns_cache_expire(87600);<br>
> keep_hostname(no);<br>
> long_hostnames(no);<br>
> flush_lines(0);<br>
> normalize_hostnames(yes);<br>
> create_dirs(yes);<br>
> dir_group(group_name);<br>
> dir_perm(0751);<br>
> stats_freq(600);<br>
> stats_level(1);<br>
> group(group_name);<br>
> perm(0640);<br>
> };<br>
><br>
> source s_network_1 {<br>
> udp();<br>
> };<br>
><br>
> destination d_network_1 {<br>
> file<br>
> ("/var/syslog/$R_YEAR-$R_MONTH-$R_DAY/$HOST/$R_YEAR-$R_MONTH-$R_DAY-$HOST-$R_HOUR.log");<br>
> };<br>
><br>
> log {<br>
> source(s_network_1);<br>
> destination(d_network_1);<br>
> };<br>
><br>
><br>
> The goal is to have the logs from each device arranged in a hierarchy<br>
> that is as follows (simplified):<br>
> Date/device_name/hour-1.log<br>
> Date/device/name/hour2.log<br>
> etc<br>
><br>
> This has been working great.<br>
><br>
> Recently I configured another network device to send syslog messages to<br>
> this server, and they aren't being logged. Using tcpdump on the<br>
> syslog-ng box, I've verified the messages are making it to the server<br>
> from the network device. They are UDP and using the correct port. I've<br>
> compared the message format in the pcap to other devices that are still<br>
> logging and everything matches. I have no errors in /var/log/syslog<br>
> files, nor do I have errors in /var/log/messages.<br>
><br>
> I've hit a dead end in troubleshooting, since all other devices sending<br>
> logs to this server are being correctly written to log files. Can<br>
> someone point me to anything else to check?<br>
><br>
> This is syslog-ng 3.1.2 running on RHEL 5.8.<br>
><br>
><br>
> Thanks!<br>
><br>
><br>
</div></div>> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div><br></div>