On Wed, Feb 18, 2004 at 05:55:26PM -0500, Gary.Metelitsa@us.hsbc.Com wrote:
Here are some syslog message examples and a snoop I ran:
CSS syslog-ng message: 2004.02.18 17:32:05 7 local7 info 7264 NETMAN-6: CLMcmd: sho run service ,gmetelitsa@local Router syslog-ng message: 2004.02.18 17:37:07 NYPRRT10 local7 info 1354469: SLOT 1:Feb 18 17:37:05.268 EST: %SEC-6-IPACCESSLOGP: list 112 denied tcp 127.0.0.1(80) -> 205.241.15.99
When I snoop the line I get this: I didn't include the IP header and UDP header as I don't think its pertinent. CSS syslog payload message: SYSLOG: "<190>FEB 18 11:04:23 7/1 7187 NETMAN-6: CLMcmd: show run own" Router payload message: SYSLOG: "<190>1341226: SLOT 1:Feb 18 11:12:43.016 EST: %SEC-6-IPACCES"
The payload does not contain the source IP address for either the CSS or for a router, however, syslog-ng gets the source address/hostname of the router but not the CSS. Also, I see that the message payload structure is quite different between a router and CSS.
syslog-ng makes a best guess about the fields of incoming syslog messages, but sometimes guesses wrong. syslog messages are different, depending on the source. See: http://lists.jammed.com/loganalysis/2002/01/0021.html http://www.faqs.org/rfcs/rfc3164.html You should show how syslog-ng is recording the messages to your logfiles (assuming you're logging to files) and it'll be absolutely clear. My guess is that syslog-ng thinks that "7/1" is the hostname, or something like that. I've had similar problems: https://lists.balabit.hu/pipermail/syslog-ng/2003-January/004334.html ..and the fix: https://lists.balabit.hu/pipermail/syslog-ng/2003-January/004412.html The "bad_hostname()" feature will help. See this example syslog-ng.conf for example usage: http://www.campin.net/syslog-ng/solaris-conf.txt -- Nate "Reader, suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." - Samuel Clemens