My new configuration now looks like this.....from the faq... source src { internal(); unix-dgram("/dev/log"); unix-dgram("/var/lib/ntp/dev/log"); }; source rmt_udp { udp(ip("0.0.0.0") port(514)); }; destination hosts { file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/$FACILITY$YEAR$MONTH$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); }; log { source(rmt_udp); destination(hosts); }; ********************************************************************************************************************************************************** There are other statements, filters (from the sample conf.) etc., but I think these are the pertinent ones. Now I have two machines pointing to my syslog-ng server. In the "suselog:/var/log/HOSTS/suselog/2005/12/28/auth20051228" file, the below forwarded messages are intermixed from two different servers. Dec 28 21:37:23 suselog su(pam_unix)[1532]: authentication failure; logname=syss55h uid=500 euid=0 tty=pts/4 ruser=syss55h rhost= user=root Dec 28 21:37:23 suselog su(pam_unix)[1532]: authentication failure; logname=syss55h uid=500 euid=0 tty=pts/4 ruser=syss55h rhost= user=root Dec 28 21:37:53 suselog sshd(pam_unix)[14395]: session opened for user root by (uid=0) Dec 28 21:38:18 suselog su(pam_unix)[14447]: session opened for user syss55h by root(uid=0) Dec 28 21:38:26 suselog su(pam_unix)[14490]: authentication failure; logname=root uid=500 euid=0 tty= ruser=syss55h rhost= user=root the messages at 21:37:23 are from one server and the rest are from another. If nothing else comes up I will upgrade one of the sending machines to syslog-ng and see what happens. p.s. these machines are not known by DNS. On Wed, Dec 28, 2005 at 03:45:30PM -0500, ken.schweiker@faa.gov wrote:
Thanks. Meanwhile I finally read the bottom of these responses and went
to
www.campin.net/syslog-ng/faq.html. It was very helpful!
It explained the header problem I think ..... Many syslog programs, when configured to relay messages on to another syslog program on another host, will leave out certain parts of the syslog message - complicating proper identification of certain fields. ....and...... The sysklogd program used as a syslog server for many Linux distributions also leaves out fields. It leaves out the time/date information and the hostname information (the entire "header").
So it sounds like I'll have to install syslog-ng on all the downstream servers also. Thanks.
I'm glad you read that, but it might not really be clear enough on how syslog-ng behaves in this situation. What happens is that syslog-ng puts in a hostname based on the remote IP or DNS name, and also uses the chained hostname format if configured to do so. Don't bother putting syslog-ng everywhere just for that reason. Let me know if this clears things up. -- Nate "The more I C, the less I see." _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html