On Wed, Mar 21, 2018 at 3:49 PM, Asif Iqbal <vadud3@gmail.com> wrote:
On Wed, Mar 21, 2018 at 10:29 AM, Asif Iqbal <vadud3@gmail.com> wrote:
On Wed, Mar 21, 2018 at 9:58 AM, Fabien Wernli <wernli@in2p3.fr> wrote:
On Wed, Mar 21, 2018 at 09:46:32AM -0400, Asif Iqbal wrote:
My client hostname is svl-search-01 and its IP resolves to svl-remote-01. Its syslogs do not have any PRI or hostname in HOST field.
I like to have svl-search-01 in the HOST field.
In that case the only sensible options are:
* upgrade & use add-contextual-dat
or
* use /etc/hosts and keep-hostname(no)
I noticed if I have mutiple source files I only get logs from the last source only. Does that make sense?
source s_sys { file ("/proc/kmsg" program_override("kernel: ")); system(); internal(); udp(ip(0.0.0.0) port(514)); };
source s_udp { udp(ip(0.0.0.0) port(514)); };
source s_alarm { udp( ip(0.0.0.0) port(514) use_dns(persist_only) ); };
log { source(s_sys); filter(f_ciena); destination(d_ciena); }; log { source(s_alarm); filter(f_alarm); destination(d_alarm); };
As soon as I commented all the other sources and only kept the s_sys, I started getting logs again from those routers.
OK I verified. I cannot have two source like this. logs with source s_udp stop receiving data.
source s_udp { udp(ip(0.0.0.0) port(514)); }; source s_alarm { udp( ip(0.0.0.0) port(514) use_dns(persist_only) ); };
syslog-ng should report this issue at startup and not start. Did it do that properly?
I need most sources use the default use_dns(yes) and only a handful of source with use_dns(persist_only).
you'd have to use separate ports or IPs for this to work.
How do I configure that?
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support /documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq