Are you running syslog-ng on the AIX host as well? I think you probably aren't. SRV4-type boxes leave out the hostname when sending syslogs over the wire, but leave the rest of the header intact: http://www.campin.net/syslog-ng/syslog.html#missing_parts This is highly confusing behavior, especially when there are spaces in the program name. This is why I requested and Bazsi created the "bad_hostname()" option. Either put syslog-ng on the AIX boxes or use bad_hostname() on your syslog-ng loghost. On Mon, Jun 19, 2006 at 09:21:05AM -0500, SOLIS, ALEX wrote:
I appreciate your sympathy but it does not help me with my TAG problem. :)
Anyone else have any idea how to stop syslog-ng from purging the TAG information from an AIX syslogd message. I have successfully sniffed syslog traffic between the AIX servers and my LOGHOST. The TAG (Process Name info) is definitely intact on the wire. This confirms that syslog-ng is simply parsing the log message and removing the TAG info.
I did some more tests on the Linux LOGHOST using the logger utility and I found that syslog-ng does not like spaces after the TAG information. For example:
1) Logger -p syslog.info -t "TEST_TAG" "TEST_MESSAGE"
Generates the log:
Jun 19 08:42:38 loghost TEST_TAG: TEST_MESSAGE
2) Logger -p syslog.info -t "TEST_TAG " "TEST_MESSAGE"
Generates the log:
Jun 19 08:44:08 loghost : TEST_MESSAGE
Example two lost the TAG information because of the space after TEST_TAG. I have considered the possibility that the messages being sent from the AIX box do not conform to syslog formatting standards and therefore syslog-ng discards the field. But I would like to know if there is anything that can be done to stop this behavior.
Thanks for all responses, even sympathetic ones. :)
Alex
-----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, June 13, 2006 9:09 PM To: SOLIS, ALEX Subject: Re: [syslog-ng] Losing TAG information
On Tue, 13 Jun 2006 10:07:33 CDT, "SOLIS, ALEX" said:
(off-list reply)
I have about 20 or so AIX 4.3 servers that are sending syslog messages to a Linux desktop running syslog-ng 1.6.5.
You have my condolences. IBM dropped support for even AIX 4.3.3 several years ago - hopefully you're not having problems keeping the software running and secure... -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, June 13, 2006 9:09 PM To: SOLIS, ALEX Subject: Re: [syslog-ng] Losing TAG information
On Tue, 13 Jun 2006 10:07:33 CDT, "SOLIS, ALEX" said:
(off-list reply)
I have about 20 or so AIX 4.3 servers that are sending syslog messages to a Linux desktop running syslog-ng 1.6.5.
You have my condolences. IBM dropped support for even AIX 4.3.3 several years ago - hopefully you're not having problems keeping the software running and secure...
-- Nate I wonder why no company starts his manual with the words `We thank you for buying this piece of junk. We have done our best to make this junk as annoying as possible, and we assure that it will give you a headache for the next two months. However, if you feel satisfied with it, we will contact you for an expensive replacement.'