On Wed, Mar 21, 2018 at 3:49 PM, Asif Iqbal <vadud3@gmail.com> wrote:


On Wed, Mar 21, 2018 at 10:29 AM, Asif Iqbal <vadud3@gmail.com> wrote:


On Wed, Mar 21, 2018 at 9:58 AM, Fabien Wernli <wernli@in2p3.fr> wrote:
On Wed, Mar 21, 2018 at 09:46:32AM -0400, Asif Iqbal wrote:
> My client hostname is svl-search-01 and its IP resolves to svl-remote-01.
> Its syslogs do not have any PRI or hostname in HOST field.
>
> I like to have svl-search-01 in the HOST field.

In that case the only sensible options are:

* upgrade & use add-contextual-dat

  or

* use /etc/hosts and keep-hostname(no)


I noticed if I have mutiple source files I only get logs from the last source only. Does that make sense?

source s_sys {
        file ("/proc/kmsg" program_override("kernel: "));
    system();
    internal();
    udp(ip(0.0.0.0) port(514));
};

source s_udp { udp(ip(0.0.0.0) port(514)); };

source s_alarm { udp( ip(0.0.0.0)  port(514) use_dns(persist_only) ); };

log { source(s_sys); filter(f_ciena); destination(d_ciena); };
log { source(s_alarm); filter(f_alarm); destination(d_alarm); };

As soon as I commented all the other sources and only kept the s_sys, I started getting logs again from
those routers.


OK I verified. I cannot have two source like this. logs with source s_udp stop receiving data.

source s_udp { udp(ip(0.0.0.0) port(514)); };
source s_alarm { udp( ip(0.0.0.0)  port(514) use_dns(persist_only) ); };


syslog-ng should report this issue at startup and not start. Did it do that properly?
 

I need most sources use the default use_dns(yes) and only a handful of source with use_dns(persist_only).


you'd have to use separate ports or IPs for this to work.
 

How do I configure that?







______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq





--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?




--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq