I wish I could retract this since the solution was simple. But since I posted it I guess I should at least qualify this. This turned out to be not a problem with the syslog at all. It was a problem with the person looking at the logs who claimed there was a problem and at first glance I thought it was a problem. After doing more digging I found that the routers actually send the their log messages exactly as they appear in the log file. The three letter region specification on the front turns out to be an alias that the network analysts were using. Since I mostly do internal logging I didn't have use_fqdn turned on and the only thing they were seeing was the hostname, gw1, ts1, etc. This is insufficient since we have over 1100 routers to maintain. There are many gw1's and gw2's, etc. As soon as I turned on use_fqdn and started getting the domain name added on, which is sufficient to identify the source, all is great from my perspective. Thanks for your time and sorry to bother everyone. Drew
-----Original Message----- From: Hamilton, Andrew Mr. [SMTP:HamiltonA@hq.5sigcmd.army.mil] Sent: Wednesday, November 15, 2000 3:06 PM To: 'syslog-ng@lists.balabit.hu' Subject: [syslog-ng]Odd problem
I am getting something very strange in my syslogs. This doesn't happen for every host but it appears that most of the hostnames are getting the front truncated. Here is a sample of the logfile and my config file. I am running syslog-ng 1.4.7.
Nov 15 13:57:03 gw1.hanau.army.mil 172593: Nov 15 13:57:18: %SEC-6-IPACCESSLOGP: list 196 permitted tcp 140.156.30.6(48879) -> 192.73.27.115(33658), 725 packets Nov 15 13:57:03 gw7.mannheim.army.mil 93065: Nov 15 13:57:18: %LANCE-5-LATECOLL: Unit 0, late collision error Nov 15 13:57:03 bggw.heidelberg.army.mil 3078332: Nov 15 13:57:18: %SEC-6-IPACCESSLOGP: list 191 denied tcp 64.4.16.24(80) -> 147.37.199.194(1509), 1 packet Nov 15 13:57:03 bggw.ansbach.army.mil 437279: Nov 15 13:57:18: %SEC-6-IPACCESSLOGP: list 193 denied udp 136.218.199.6(1704) -> 169.254.102.246(1112), 1 packet Nov 15 13:57:03 BGGW-ETHER0-1.STUTTGART.ARMY.MIL 1236689: 6w6d: %SEC-6-IPACCESSLOGP: list 192 permitted tcp 199.211.200.34(1488) -> 136.221.21.11(80), 6 packets
The hostname should have hnu-gw1.hanau.army.mil in the first one and likewise for the rest. There is some 3 letter representation of the region on the front of the hostname. Here is my config, partly anyway.
options { long_hostnames(yes); use_fqdn(yes); chain_hostnames(no); sync(0); keep_hostname(yes); create_dirs(yes); }; source src { sun-streams("/dev/log" door("/etc/.syslog_door")); internal(); udp(); };
destination d_cisco { file("/logs/cisco/ciscologs"); };
destination d_reno { udp("host.mydomain.mil"); };
filter f_cisco { facility(local7) };
log { source(src); filter(f_cisco); destination(d_cisco); destination(d_host); };
Seems to actually function fine but is truncating the front part.
Any ideas?
Regards, Drew
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng