Dear Nate, As your words, there will be no solution to standardize the log format! Thanks for your reply! Regards, Wilson Lai System Engineer IT Dept., SJM Office ( : (853)2978585 Mobile ( : (853)66506709 Email +: : wilsonlai@macausjm.com -----Original Message----- From: syslog-ng-request@lists.balabit.hu [mailto:syslog-ng-request@lists.balabit.hu] Sent: Saturday, September 08, 2007 6:00 PM To: syslog-ng@lists.balabit.hu Subject: syslog-ng Digest, Vol 29, Issue 7 Send syslog-ng mailing list submissions to syslog-ng@lists.balabit.hu To subscribe or unsubscribe via the World Wide Web, visit https://lists.balabit.hu/mailman/listinfo/syslog-ng or, via email, send a message with subject or body 'help' to syslog-ng-request@lists.balabit.hu You can reach the person managing the list at syslog-ng-owner@lists.balabit.hu When replying, please edit your Subject line so it is more specific than "Re: Contents of syslog-ng digest..." Today's Topics: 1. Logs from Nauticus (Delphine D) 2. Re: Hostname instead of FQDN in logs (Nate Campi) 3. Re: syslog-ng Digest, Vol 28, Issue 21 (Nate Campi) 4. Re: Logs from Nauticus (Nate Campi) 5. Re: Logs from Nauticus (Delphine D) 6. Re: Logs from Nauticus (Nate Campi) 7. Re: How to "drop" a message, effectively skipping further processing and not logging it? (Eli Stair) ---------------------------------------------------------------------- Message: 1 Date: Fri, 07 Sep 2007 15:18:27 +0200 From: "Delphine D" <delphined_1300@hotmail.com> Subject: [syslog-ng] Logs from Nauticus To: syslog-ng@lists.balabit.hu Message-ID: <BLU106-F41DCA93C3393AA7FA06E78E1C50@phx.gbl> Content-Type: text/plain; charset=iso-8859-1; format=flowed Hello, Is there someone here having some knowledge of how to send logs from Nauticus (Sun Secure Application Switch Manager N2120) to syslog-ng ? I receive the logs on the centralized logs server but without any information about the source of the logs (no IP, no hostname). In other words : Sep 7 14:03:29 2007 v0 AAA [0/100e8] [ERROR]: User authentication failure, user: 'test', host: 1.2.3.4, application: httpLogin, method: TACACS(serviceNotAvailable) serviceNotAvailable instead of : Sep 7 14:03:29 2007/nauticus.ourdomain.be v0 AAA [0/100e8] [ERROR]: User authentication failure, user: 'test', host: 1.2.3.4, application: httpLogin, method: TACACS(serviceNotAvailable) serviceNotAvailable Is there a paramater to change in the N2120 ? Thank you very much. _________________________________________________________________ A la recherche d'un ami d'enfance ? Peut-?tre est-il dans la liste d'amis de vos amis ! http://spaces.live.com/default.aspx?page=Ed01&ss=True ------------------------------ Message: 2 Date: Fri, 7 Sep 2007 07:24:03 -0700 From: Nate Campi <nate@campin.net> Subject: Re: [syslog-ng] Hostname instead of FQDN in logs To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Message-ID: <20070907142403.GB6166@campin.net> Content-Type: text/plain; charset=us-ascii On Fri, Sep 07, 2007 at 10:53:54AM +0200, Delphine D wrote:
The others also return the hostname and not the FQDN (Ex : 'server2'
and not
'server2.ourdomain.be') but they are using syslog instead of syslog-ng... That's the only difference...
Then it's because this host sends the hostname in the syslog message (syslog-ng always has a full and complete syslog message on the wire), but the boxes using syslogd don't actually send a hostname. A message on your central syslog-ng server from a Linux box running syslogd will be written to disk something like: Sep 7 07:16:20 hostname in.qpopper[7736]: connect from 12.12.12.12 ...but on the wire it looks like this: <13>in.qpopper[7736]: connect from 12.12.12.12 ...and syslog-ng has to put in the rest of the info. This means that syslog-ng on the central box is putting in the FQDN for you. syslog-ng on the client is putting in a full message, including the short hostname, and the central syslog-ng is keeping it. See http://www.campin.net/syslog-ng/syslog.html#missing_parts for more on this. See http://www.campin.net/syslog-ng/faq.html#hostname to figure out the hostname options you want on your central syslog-ng server. Probably "keep_hostname(no)", plus "use_fqdn(yes);" to get the FQDN. HTH, -- Nate Like medieval peasants, computer manufacturers and millions of users are locked in a seemingly eternal lease with their evil landlord, who comes around every two years to collect billions of dollars of taxes in return for mediocre services. --Mark Harris, Electronics Times ------------------------------ Message: 3 Date: Fri, 7 Sep 2007 07:26:12 -0700 From: Nate Campi <nate@campin.net> Subject: Re: [syslog-ng] syslog-ng Digest, Vol 28, Issue 21 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Message-ID: <20070907142612.GC6166@campin.net> Content-Type: text/plain; charset=us-ascii On Fri, Sep 07, 2007 at 05:26:02PM +0800, Wilson Lai wrote:
Dear all, What happen if the log message is not a standard syslog message? Thanks.
If a Cisco switch sends a message like this: 2005 Aug 23 03:04:05 UTC +00:00 %PAGP-5-PORTFROMSTP:Port 4/16 left bridge port 4/16 ...it'll be written to disk like this: Aug 23 03:04:05 switch.company.com 2005 Aug 23 03:04:05 UTC +00:00 %PAGP-5-PORTFROMSTP:Port 4/16 left bridge port 4/16 syslog servers put in a proper syslog formatted header. The behavior is documented here: http://www.faqs.org/rfcs/rfc3164.html It's not syslog-ng specific behavior. -- Nate "The IBM compatible sector has not yet recognized that 95% of computer usage is devoted to experimenting with different fonts and character styles in documents." - Reiner, Ron ------------------------------ Message: 4 Date: Fri, 7 Sep 2007 07:35:54 -0700 From: Nate Campi <nate@campin.net> Subject: Re: [syslog-ng] Logs from Nauticus To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Message-ID: <20070907143554.GD6166@campin.net> Content-Type: text/plain; charset=us-ascii On Fri, Sep 07, 2007 at 03:18:27PM +0200, Delphine D wrote:
I receive the logs on the centralized logs server but without any information about the source of the logs (no IP, no hostname).
In other words :
Sep 7 14:03:29 2007 v0 AAA [0/100e8] [ERROR]: User authentication
failure,
user: 'test', host: 1.2.3.4, application: httpLogin, method: TACACS(serviceNotAvailable) serviceNotAvailable
instead of :
Sep 7 14:03:29 2007/nauticus.ourdomain.be v0 AAA [0/100e8] [ERROR]: User authentication failure, user: 'test', host: 1.2.3.4, application: httpLogin, method: TACACS(serviceNotAvailable) serviceNotAvailable
Is there a paramater to change in the N2120 ?
Those aren't standard syslog messages, and it's possible that paired with how Solaris sends a header but not a hostname, syslog-ng could be getting confused about this. You should send your "options" part of your syslog-ng.conf, and read http://www.campin.net/syslog-ng/syslog.html to see if it helps you understand what the messages look like on the wire and how syslog-ng makes it's best guesses about what the fields mean. Something similar is the reason for the "bad_hostname" option, but that's for when program names look like hostnames. You have a header section that looks like a hostname, but I'm not sure if you have a keep_hostname(no) that's stripping out your hostname from that weird header section that looks like syslog-ng's "chain_hostnames". So send your options to the list, try setting keep_hostname(yes), or see if you can force a normal syslog format on the client side. What they're sending is wrong in a new way that isn't worked around in syslog-ng (AFAIK). -- Nate "Reader, suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." - Samuel Clemens ------------------------------ Message: 5 Date: Fri, 07 Sep 2007 16:47:31 +0200 From: "Delphine D" <delphined_1300@hotmail.com> Subject: Re: [syslog-ng] Logs from Nauticus To: syslog-ng@lists.balabit.hu Message-ID: <BLU106-F26C91524EFE7580500E939E1C50@phx.gbl> Content-Type: text/plain; charset=iso-8859-1; format=flowed
On Fri, Sep 07, 2007 at 03:18:27PM +0200, Delphine D wrote:
I receive the logs on the centralized logs server but without any information about the source of the logs (no IP, no hostname).
In other words :
Sep 7 14:03:29 2007 v0 AAA [0/100e8] [ERROR]: User authentication
failure,
user: 'test', host: 1.2.3.4, application: httpLogin, method: TACACS(serviceNotAvailable) serviceNotAvailable
instead of :
Sep 7 14:03:29 2007/nauticus.ourdomain.be v0 AAA [0/100e8] [ERROR]:
User
authentication failure, user: 'test', host: 1.2.3.4, application: httpLogin, method: TACACS(serviceNotAvailable) serviceNotAvailable
Is there a paramater to change in the N2120 ?
Those aren't standard syslog messages, and it's possible that paired with how Solaris sends a header but not a hostname, syslog-ng could be getting confused about this. You should send your "options" part of your syslog-ng.conf, and read http://www.campin.net/syslog-ng/syslog.html to see if it helps you understand what the messages look like on the wire and how syslog-ng makes it's best guesses about what the fields mean.
Something similar is the reason for the "bad_hostname" option, but that's for when program names look like hostnames. You have a header section that looks like a hostname, but I'm not sure if you have a keep_hostname(no) that's stripping out your hostname from that weird header section that looks like syslog-ng's "chain_hostnames".
So send your options to the list, try setting keep_hostname(yes), or see if you can force a normal syslog format on the client side. What they're sending is wrong in a new way that isn't worked around in syslog-ng (AFAIK).
Thank you Nate for your help. Here is the syslog-ng.conf from my logs server : options { create_dirs(yes); dir_perm(0705); dir_owner(root); perm(0600); owner(root); sync(0); check_hostname(no); use_fqdn(yes); use_dns(yes); dns_cache(yes); dns_cache_expire(604800); dns_cache_size(400); stats(60); keep_hostname(yes); chain_hostnames(yes); }; I'm not sure that we've the ability to change something in the Nauticus. There is no Syslog or Syslog-ng running on it. There is no configuration files like in "normal" servers (Linux, Solaris,...). There is only a parameters section in the GUI, where you have to configure : - SysLog Host --> IP of the logs server - Syslog Port --> 514 - Filter --> defaultSyslog (by default) - Facility --> local0, local1,.... or local7 But I don't find anything about hostname. The strangest thing is that it was working fine a few weeks ago but it has suddenly stopped working :-( Thanks. _________________________________________________________________ Saviez-vous que Windows Live Messenger est disponible d?s maintenant sur votre GSM ? http://get.live.com/messenger/mobile ------------------------------ Message: 6 Date: Fri, 7 Sep 2007 08:59:05 -0700 From: Nate Campi <nate@campin.net> Subject: Re: [syslog-ng] Logs from Nauticus To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Message-ID: <20070907155905.GF6166@campin.net> Content-Type: text/plain; charset=us-ascii On Fri, Sep 07, 2007 at 04:47:31PM +0200, Delphine D wrote:
Thank you Nate for your help.
Here is the syslog-ng.conf from my logs server :
options { create_dirs(yes);
<snip>
chain_hostnames(yes); };
Try chain_hostnames(no). No matter what, you're dealing with a bad format that's close enough to a good one to make syslog-ng guess incorrectly. This isn't the fault of syslog-ng, just a result of the imperfect world we live in.
I'm not sure that we've the ability to change something in the Nauticus. There is no Syslog or Syslog-ng running on it. There is no configuration files like in "normal" servers (Linux, Solaris,...).
There is only a parameters section in the GUI, where you have to configure :
- SysLog Host --> IP of the logs server - Syslog Port --> 514 - Filter --> defaultSyslog (by default) - Facility --> local0, local1,.... or local7
Any other options? Any other Filter options, specifically? I've actually run perl-based syslog proxy code I wrote to work around really crappy syslog formats. The bad_hostname option came as a result of me bitching about the bad formats loudly enough and long enough. :) ISTR that syslog-ng 2.0 now has some rewriting ability. I haven't been paying much attention to that branch, you should probably read up on it. Possible that it's only in the dev branch - like I said I haven't been paying much attention.
But I don't find anything about hostname.
The strangest thing is that it was working fine a few weeks ago but it has suddenly stopped working :-(
Somebody changed either the syslog-ng server or your client. Maybe not even configs, but version upgrade on the client perhaps. -- Nate An Emacs reference mug is what I want. It would hold ten gallons of coffee. -- Steve VanDevender And, no doubt, have a lid that could only be removed with an obscure finger combination requiring both hands. (Ctrl-Alt-Meta-X gimme-the-damn-coffee) -- William Beegle ------------------------------ Message: 7 Date: Fri, 07 Sep 2007 14:39:26 -0700 From: Eli Stair <estair@ilm.com> Subject: Re: [syslog-ng] How to "drop" a message, effectively skipping further processing and not logging it? To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Message-ID: <46E1C50E.9060405@ilm.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Geller, Sandor (IT) wrote:
Hello,
Is there any way other than this to keep a message from being sent to another host or a file? If not, is there any way to tell syslog-ng NOT to modify the state of a file, just to send data TO it? That, or an internal "drop" stop-processing built-in destination would be extremely useful.
Simply remove all destinations from the log section and use flags(final) will do the trick.
Don't I feel daft... I recall trying that a couple years ago, but had errors I don't seem to have resolved before deciding to just write to /dev/null. I must've botched the syntax and thought that you HAD to have a destination in a log line! Thanks for the suggestion. Cheers, /eli ------------------------------ _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng End of syslog-ng Digest, Vol 29, Issue 7 ****************************************