Re: [syslog-ng] AIX Syslog Messages

6 Jul 2011

      Hi,

Thanks for your reply.
I did, but it still keeps the IP address, so I removed it.

These are my options:

        long_hostnames(off);
        # doesn't actually help on Solaris, log(3) truncates at 1024 chars
        log_msg_size(8192);
        # buffer just a little for performance
        # sync(1); <- Deprecated - use flush_lines() instead
        flush_lines(1);
        # memory is cheap, buffer messages unable to write (like to loghost)
        log_fifo_size(16384);
        # Hosts we don't want syslog from
        #bad_hostname("^(ctld.|cmd|tmd|last)$");
        # The time to wait before a dead connection is reestablished (seconds)
        time_reopen(10);
        #Use DNS so that our good names are used, not hostnames
        use_dns(no);
        dns_cache(yes);
        #Use the whole DNS name
        use_fqdn(no);
        keep_hostname(no);
        chain_hostnames(no);
        #Read permission for everyone
        perm(0644);
        # The default action of syslog-ng 1.6.0 is to log a STATS line
        # to the file every 10 minutes. That's pretty ugly after a while.
        # Change it to every 12 hours so you get a nice daily update of
        # # how many messages syslog-ng missed (0).
        # stats(43200);

Thanks,
Ricardo.
...
Date: Wed, 6 Jul 2011 09:04:51 +0200
From: frobert@balabit.hu
To: syslog-ng@lists.balabit.hu
Subject: Re: [syslog-ng] AIX Syslog Messages
Hi,
did you try setting the keep_hostname(yes) global option?
Robert
On 07/05/2011 09:05 PM, Ricardo Oliveira wrote:
...
Hi,
I'm having some problems properly storing messages received from AIX servers.
The format which they come in is like this:
"Jul 5 19:30:59 Message forwarded from server2: su: from root to ..."
According to a thread on this mailing list
(https://lists.balabit.hu/pipermail/syslog-ng/2006-October/009372.html), and if
I understood correctly, this should be OK, and I should get the expected
behaviour of replacing this with the form:
"Jul 5 19:30:59 server2 su: from root to ..."
However, what I get in the log is:
"Jul 5 19:30:59 192.168.1.1 su: from root to ..."
Where the 192.168.1.1 is the IP of the machine I got the message from and not
the name of the server (server2 in this case).
The issue here is that these messages belong to several machines which are
sending their syslog messages to a NIM server which in turn forwards them to our
syslog server, so the IP we end up with is not the machine's IP, but rather the
NIM server IP, which is not what we need.
I tried parsing the message on arrival, but it doesn't work, I suppose it's
because syslog-ng processes it before the parsers kick in.
Is there a way to do this?
TIA,
Ricardo.
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq