On Fri, Sep 07, 2007 at 03:18:27PM +0200, Delphine D wrote:
I receive the logs on the centralized logs server but without any information about the source of the logs (no IP, no hostname).
In other words :
Sep 7 14:03:29 2007 v0 AAA [0/100e8] [ERROR]: User authentication failure, user: 'test', host: 1.2.3.4, application: httpLogin, method: TACACS(serviceNotAvailable) serviceNotAvailable
instead of :
Sep 7 14:03:29 2007/nauticus.ourdomain.be v0 AAA [0/100e8] [ERROR]: User authentication failure, user: 'test', host: 1.2.3.4, application: httpLogin, method: TACACS(serviceNotAvailable) serviceNotAvailable
Is there a paramater to change in the N2120 ?
Those aren't standard syslog messages, and it's possible that paired with how Solaris sends a header but not a hostname, syslog-ng could be getting confused about this. You should send your "options" part of your syslog-ng.conf, and read http://www.campin.net/syslog-ng/syslog.html to see if it helps you understand what the messages look like on the wire and how syslog-ng makes it's best guesses about what the fields mean. Something similar is the reason for the "bad_hostname" option, but that's for when program names look like hostnames. You have a header section that looks like a hostname, but I'm not sure if you have a keep_hostname(no) that's stripping out your hostname from that weird header section that looks like syslog-ng's "chain_hostnames". So send your options to the list, try setting keep_hostname(yes), or see if you can force a normal syslog format on the client side. What they're sending is wrong in a new way that isn't worked around in syslog-ng (AFAIK). -- Nate "Reader, suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." - Samuel Clemens