<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<meta name="Generator" content="Microsoft Word 15 (filtered medium)">

<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}

o\:* {behavior:url(#default#VML);}

w\:* {behavior:url(#default#VML);}

.shape {behavior:url(#default#VML);}

</style><![endif]--><style><!--

/* Font Definitions */

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Menlo;

        panose-1:2 11 6 9 3 8 4 2 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

p.msonormal0, li.msonormal0, div.msonormal0

        {mso-style-name:msonormal;

        mso-margin-top-alt:auto;

        margin-right:0in;

        mso-margin-bottom-alt:auto;

        margin-left:0in;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif;}

span.EmailStyle19

        {mso-style-type:personal-reply;

        font-family:"Calibri",sans-serif;

        color:windowtext;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="EN-US" link="blue" vlink="purple">

<div class="WordSection1">

<p class="MsoNormal">Hi Balazs,<o:p></o:p></p>

<p class="MsoNormal">Sorry for the delay, I don’t get a lot of free time these days :)<o:p></o:p></p>

<p class="MsoNormal">I have attached a pcap as well as a raw log. The log is prior to any manipulation of LogZilla rules, etc.<o:p></o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<p class="MsoNormal">This is easily reproduceable.<o:p></o:p></p>

<p class="MsoNormal">Also, if I add <span style="font-size:10.0pt;font-family:Menlo;color:#383A42;background:#FAFAFA">

show-timezone</span> to the device config, the host field shows up.<o:p></o:p></p>

<p class="MsoNormal">The problem, of course, is that we can’t tell all of our customers to re-configure all of their cisco devices.<o:p></o:p></p>

<p class="MsoNormal">We have documented the work-around here (search the page for “hostname missing”):<o:p></o:p></p>

<p class="MsoNormal"><a href="http://demo.logzilla.net/help/receiving_data/cisco_ios_configuration">http://demo.logzilla.net/help/receiving_data/cisco_ios_configuration</a><o:p></o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<p class="MsoNormal">This problem never existed before, but I am not certain which syslog-ng version it started occurring in.<o:p></o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">"Scheidler, Balázs" <balazs.scheidler@balabit.com><br>

<b>Date: </b>Tuesday, May 1, 2018 at 8:45 PM<br>

<b>To: </b>Clayton Dukes <cdukes@logzilla.net><br>

<b>Cc: </b>Joshua <aces621@yahoo.com>, Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>

<b>Subject: </b>Re: [syslog-ng] hostname not appearing correctly when receiving logs from switches<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

<div>

<p class="MsoNormal"><a name="_MailOriginalBody">Interesting that I saw this message the first time in your response, and not the original one.

<o:p></o:p></a></p>

<div>

<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">Anyhow, to understand the problem we would need an exact byte-by-byte representation of what syslog-ng is receiving from the switch together with the configuration that is used to process it.

 A tcpdump or an "Incoming message" from syslog debug outout should work.<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">We haven't intentionally changed the syslog parser as far as I remember.<o:p></o:p></span></p>

</div>

</div>

<div>

<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><o:p> </o:p></span></p>

<div>

<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">On May 1, 2018 22:50, "Clayton Dukes" <</span><a href="mailto:cdukes@logzilla.net"><span style="mso-bookmark:_MailOriginalBody">cdukes@logzilla.net</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody">>

 wrote:<o:p></o:p></span></p>

<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody">Interesting! We’ve been getting a lot of support tickets for this very problem.<o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody">I can easily recreate the issue.<o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody">Balabit Team: is this a new bug?<o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> </span><o:p></o:p></span></p>

<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="71%" style="width:71.0%;border-collapse:collapse">

<tbody>

<tr style="page-break-inside:avoid">

<td width="5%" valign="top" style="width:5.0%;padding:0in 0in 0in 0in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><b><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><img border="0" width="56" height="180" style="width:.5833in;height:1.875in" id="m_-7649788740190382892Picture_x0020_4" src="cid:image001.png@01D3E622.FBEDD260" alt="cid:image001.png@01D306E3.0FEBC990"></span></b><o:p></o:p></span></p>

</td>

<span style="mso-bookmark:_MailOriginalBody"></span>

<td width="1%" valign="top" style="width:1.06%;background:#F75F1C;padding:0in 0in 0in 0in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><b><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> </span></b><o:p></o:p></span></p>

</td>

<span style="mso-bookmark:_MailOriginalBody"></span>

<td width="80%" valign="top" style="width:80.0%;padding:0in 5.4pt 0in 5.4pt">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><b><span style="font-size:12.0pt;font-family:"Times New Roman",serif">Clayton Dukes</span></b><o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">Founder & CEO</span><o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:#AFABAB">LogZilla Corporation<br>

</span></span><a href="https://maps.google.com/?q=2900+N.+Quinlan+Park+Rd&entry=gmail&source=g"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">2900 N. Quinlan Park Rd</span></span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:#AFABAB">,

 B240-341<br>

Austin, TX, 78732</span><o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:#AFABAB">Tel: 936-4NetOps (463-8677) </span><o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:#AFABAB">Web:

</span></span><a href="http://www.logzilla.net/" target="_blank"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:#AFABAB">www.logzilla.net</span></span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"></span><a href="https://twitter.com/logzilla" target="_blank"><span style="mso-bookmark:_MailOriginalBody"><span style="color:windowtext;text-decoration:none"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><img border="0" width="48" height="11" style="width:.5in;height:.1145in" id="m_-7649788740190382892Picture_x0020_3" src="cid:image002.png@01D3E622.FBEDD260" alt="cid:image002.png@01D306E3.0FEBC990"></span></span></span></a><a href="https://youtu.be/drg5wv_mgfA" target="_blank"><span style="mso-bookmark:_MailOriginalBody"><span style="color:windowtext;text-decoration:none"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><img border="0" width="39" height="11" style="width:.4062in;height:.1145in" id="m_-7649788740190382892Picture_x0020_2" src="cid:image003.png@01D3E622.FBEDD260" alt="cid:image003.png@01D306E3.0FEBC990"></span></span></span></a><a href="https://www.linkedin.com/in/lzcdukes/" target="_blank"><span style="mso-bookmark:_MailOriginalBody"><span style="color:windowtext;text-decoration:none"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><img border="0" width="40" height="11" style="width:.4166in;height:.1145in" id="m_-7649788740190382892Picture_x0020_1" src="cid:image004.png@01D3E622.FBEDD260" alt="cid:image004.png@01D306E3.0FEBC990"></span></span></span></a><span style="mso-bookmark:_MailOriginalBody"><o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> </span><o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><i><span style="font-size:12.0pt;font-family:"Times New Roman",serif">For NetOps, By NetOps!</span></i><o:p></o:p></span></p>

</td>

<span style="mso-bookmark:_MailOriginalBody"></span>

</tr>

</tbody>

</table>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><b><span style="font-size:12.0pt;color:black">From:

</span></b></span><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;color:black">syslog-ng <</span></span><a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt">syslog-ng-bounces@lists.balabit.hu</span></span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;color:black">>

 on behalf of Joshua <</span></span><a href="mailto:aces621@yahoo.com" target="_blank"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt">aces621@yahoo.com</span></span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;color:black">><br>

<b>Reply-To: </b>Joshua <</span></span><a href="mailto:aces621@yahoo.com" target="_blank"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt">aces621@yahoo.com</span></span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;color:black">>,

 Syslog-ng users' and developers' mailing list <</span></span><a href="mailto:syslog-ng@lists.balabit.hu" target="_blank"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt">syslog-ng@lists.balabit.hu</span></span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;color:black">><br>

<b>Date: </b>Monday, April 30, 2018 at 7:09 PM<br>

<b>To: </b>"</span></span><a href="mailto:syslog-ng@lists.balabit.hu" target="_blank"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt">syslog-ng@lists.balabit.hu</span></span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;color:black">"

 <</span></span><a href="mailto:syslog-ng@lists.balabit.hu" target="_blank"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt">syslog-ng@lists.balabit.hu</span></span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;color:black">><br>

<b>Subject: </b>[Suspected Spam] [syslog-ng] hostname not appearing correctly when receiving logs from switches</span><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

<div>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><a name="m_-7649788740190382892__MailOriginalBody"><span style="font-size:10.0pt;font-family:"Times New Roman",serif">Hi All,</span></a><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:10.0pt;font-family:"Times New Roman",serif"> </span><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:10.0pt;font-family:"Times New Roman",serif">I am pretty new to syslog-ng but do have some basic knowledge. I

 have deployed syslog-ng v3.14 on a newly deployed Linux server because syslog-ng v3.5 is working very well on another syslog server. </span><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:10.0pt;font-family:"Times New Roman",serif"> </span><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:10.0pt;font-family:"Times New Roman",serif">On this new deployment, the syslogs received from most of the servers

 are able to show IP/host, however, the syslogs from our switches contains IP/host showing as ":" (colons). I copied the current working custom build .conf from another syslog server into our new server. Can someone help me figure out what I am missing? It

 is working for some components but not for switches. I tested the same switch by sending syslog to another syslog server and the hostname is appearing but just not appearing on the new syslog server. The only difference between the two server is that one uses

 v3.5 (the working one) and the other uses syslog-ng v3.14.</span><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:10.0pt;font-family:"Times New Roman",serif"> </span><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:10.0pt;font-family:"Times New Roman",serif">I have set: "keep_hostname (yes)" but it still doesn't work.</span><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:10.0pt;font-family:"Times New Roman",serif"> </span><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:10.0pt;font-family:"Times New Roman",serif">Can someone please help? Am I missing something here?</span><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:10.0pt;font-family:"Times New Roman",serif"> </span><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:10.0pt;font-family:"Times New Roman",serif">Thanks</span><o:p></o:p></span></p>

</div>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-bookmark:_MailOriginalBody"><em><b><u><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#00407F">Joshua Lai</span></u></b></em></span><span style="mso-bookmark:_MailOriginalBody"><em><b><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:#00407F"> </span></b></em></span><o:p></o:p></p>

</div>

</div>

</div>

</div>

</div>

</div>

</blockquote>

</div>

</div>

</div>

</body>

</html>