Hi all, wondering if anyone is familiar with this
issue. Have several Cisco switches logging to a syslog-ng server.
The syslog-ng server creates a new file for every message as it is interpreting
the ‘count’ item added by the switch as the $program. My
configs as follows to demonstrate what I mean:
Syslog-ng.conf:
destination d_all {
file("/var/log/syslog-ng/$HOST/$PROGRAM-$YEAR-$MONTH-$DAY.log");
};
But for Cisco switches it writes a new logfile for every
message, with the Cisco message number (i.e. log count #) prepended. E.g.,
for a 6509 switch:
-rw-r--r-- 1 syslog-ng wheel 165 Oct 21 11:51
1655156-2009-10-21.log
-rw-r--r-- 1 syslog-ng wheel 168 Oct 21 11:51
1655157-2009-10-21.log
-rw-r--r-- 1 syslog-ng wheel 147 Oct 21 11:51
1655158-2009-10-21.log
-rw-r--r-- 1 syslog-ng wheel 150 Oct 21 11:51
1655159-2009-10-21.log
-rw-r--r-- 1 syslog-ng wheel 154 Oct 21 11:52
1655160-2009-10-21.log
* where 16551xx is the count of the log message on the
switch
And each of those files contains one log message, e.g.
syslog-ng # cat 1655156-2009-10-21.log
Oct 21 11:51:15 6509switch1 1655156: Oct 21 18:51:14.922:
%LINK-5-CHANGED: Interface GigabitEthernet3/35, changed state to
administratively down
For reference the logging on the switches are set as:
6509s:
service timestamps log datetime msec
logging buffered 20000 debugging
logging rate-limit 1000
log-adjacency-changes
logging <syslog host IP>
logging synchronous
2960s:
service timestamps log uptime
logging buffered 20000
logging <syslog host IP>
logging synchronous
I’m thinking I could have a separate destination
statement to properly deal with these but I’m wondering if there’s
any other steps I can take to mitigate it. I have several Cisco firewalls
logging to syslog-ng and they do not have the same issue.
Thanks for any help.