On Fri, 2009-01-09 at 07:02 +0000, Geller, Sandor (IT) wrote:
Hi,
I am running syslog-ng on a HP-UX server listening on UDP port 514. It is receiving logs from syslogd running on another server. For some messages syslog-ng does not log the hostname information found in the UDP packet. Rather, it mistakes some data in UDP as the hostname information.
Traditional syslogd doesn't send hostname, as clearly visible in the tcpdump output you sent...
Here is the complete information.
syslog-ng 2.0.9 on HP-UX. Syslogd on node01 sends logs to syslog-ng on node02.
The logs in node02 are,
Jan 9 11:55:11 node01 root: testing1 Jan 9 11:55:32 above message repeats 5 times Jan 9 11:55:32 node01 root: testing4
Notice that hostname is missing in the second message. tcpdump on UDP port 514 for the above logs
11:57:26.183996 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39220, offset 0, flags [DF], proto UDP (17), length 62) node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 34 Facility user (1), Severity notice (5) Msg: Jan 9 11:55:11 root: testing1 0x0000: 3c31 333e 4a61 6e20 2039 2031 313a 3535 0x0010: 3a31 3120 726f 6f74 3a20 7465 7374 696e 0x0020: 6731 0x0000: 0030 6e4a 3244 0030 6e4b 2637 0800 4500 .0nJ2D.0nK&7..E. 0x0010: 003e 9934 4000 4011 3c2c 10b5 a1f0 10b5 .>.4@.@.<,...... 0x0020: a1f4 e03b 0202 002a a973 3c31 333e 4a61 ...;...*.s<13>Ja 0x0030: 6e20 2039 2031 313a 3535 3a31 3120 726f n..9.11:55:11.ro 0x0040: 6f74 3a20 7465 7374 696e 6731 ot:.testing1
[ cut ]
Is this a bug on how syslogd sends the message or is it a syslog-ng logging problem?
To fix either install an RFC 3164-compliant syslog daemon on the HP boxes, or use syslog-ng's bad_hostname() option. You can specify a regexp like "^above", so when syslog-ng parses the log and the regexp does match then syslog-ng will skip hostname parsing.
The bigger problem is that _some_ syslogds send hostname, others don't. And this can happen on the _same_ listener. bad_hostnames() is one option, but this could probably also be resolved using the rewrite features of syslog-ng 3.0. -- Bazsi