[syslog-ng] syslog-ng loses hostname information on some syslog logs sent via UDP

Hi, I am running syslog-ng on a HP-UX server listening on UDP port 514. It is receiving logs from syslogd running on another server. For some messages syslog-ng does not log the hostname information found in the UDP packet. Rather, it mistakes some data in UDP as the hostname information. Here is the complete information. syslog-ng 2.0.9 on HP-UX. Syslogd on node01 sends logs to syslog-ng on node02. The logs in node02 are, Jan 9 11:55:11 node01 root: testing1 Jan 9 11:55:32 above message repeats 5 times Jan 9 11:55:32 node01 root: testing4 Notice that hostname is missing in the second message. tcpdump on UDP port 514 for the above logs 11:57:26.183996 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39220, offset 0, flags [DF], proto UDP (17), length 62) node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 34 Facility user (1), Severity notice (5) Msg: Jan 9 11:55:11 root: testing1 0x0000: 3c31 333e 4a61 6e20 2039 2031 313a 3535 0x0010: 3a31 3120 726f 6f74 3a20 7465 7374 696e 0x0020: 6731 0x0000: 0030 6e4a 3244 0030 6e4b 2637 0800 4500 .0nJ2D.0nK&7..E. 0x0010: 003e 9934 4000 4011 3c2c 10b5 a1f0 10b5 .>.4@.@.<,...... 0x0020: a1f4 e03b 0202 002a a973 3c31 333e 4a61 ...;...*.s<13>Ja 0x0030: 6e20 2039 2031 313a 3535 3a31 3120 726f n..9.11:55:11.ro 0x0040: 6f74 3a20 7465 7374 696e 6731 ot:.testing1 11:57:26.185727 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 64, id 39221, offset 0, flags [DF], proto UDP (17), length 78) node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 50 Facility user (1), Severity notice (5) Msg: Jan 9 11:55:32 above message repeats 5 times 0x0000: 3c31 333e 4a61 6e20 2039 2031 313a 3535 0x0010: 3a33 3220 2061 626f 7665 206d 6573 7361 0x0020: 6765 2072 6570 6561 7473 2035 2074 696d 0x0030: 6573 0x0000: 0030 6e4a 3244 0030 6e4b 2637 0800 4500 .0nJ2D.0nK&7..E. 0x0010: 004e 9935 4000 4011 3c1b 10b5 a1f0 10b5 .N.5@.@.<....... 0x0020: a1f4 e03b 0202 003a b3b0 3c31 333e 4a61 ...;...:..<13>Ja 0x0030: 6e20 2039 2031 313a 3535 3a33 3220 2061 n..9.11:55:32..a 0x0040: 626f 7665 206d 6573 7361 6765 2072 6570 bove.message.rep 0x0050: 6561 7473 2035 2074 696d 6573 eats.5.times 11:57:26.186879 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39222, offset 0, flags [DF], proto UDP (17), length 62) node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 34 Facility user (1), Severity notice (5) Msg: Jan 9 11:55:32 root: testing4 0x0000: 3c31 333e 4a61 6e20 2039 2031 313a 3535 0x0010: 3a33 3220 726f 6f74 3a20 7465 7374 696e 0x0020: 6734 0x0000: 0030 6e4a 3244 0030 6e4b 2637 0800 4500 .0nJ2D.0nK&7..E. 0x0010: 003e 9936 4000 4011 3c2a 10b5 a1f0 10b5 .>.6@.@.<*...... 0x0020: a1f4 e03b 0202 002a a86e 3c31 333e 4a61 ...;...*.n<13>Ja 0x0030: 6e20 2039 2031 313a 3535 3a33 3220 726f n..9.11:55:32.ro 0x0040: 6f74 3a20 7465 7374 696e 6734 ot:.testing4 When I change keep_hostname(yes) to keep_hostname(no) and add the chain_hostnames(yes) option I get the following logged. Jan 9 11:55:22 node01/node01 root: testing3 Jan 9 11:57:13 above/node01 message repeats 6 times Jan 9 11:57:13 node01/node01 root: testing8 I would say, syslog-ng is confusing 'above' as the hostname before rewriting hostname. The tcpdump for these logs are 11:59:06.362374 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39223, offset 0, flags [DF], proto UDP (17), length 62) node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 34 Facility user (1), Severity notice (5) Msg: Jan 9 11:55:22 root: testing3 0x0000: 3c31 333e 4a61 6e20 2039 2031 313a 3535 0x0010: 3a32 3220 726f 6f74 3a20 7465 7374 696e 0x0020: 6733 0x0000: 0030 6e4a 3244 0030 6e4b 2637 0800 4500 .0nJ2D.0nK&7..E. 0x0010: 003e 9937 4000 4011 3c29 10b5 a1f0 10b5 .>.7@.@.<)...... 0x0020: a1f4 e03b 0202 002a a870 3c31 333e 4a61 ...;...*.p<13>Ja 0x0030: 6e20 2039 2031 313a 3535 3a32 3220 726f n..9.11:55:22.ro 0x0040: 6f74 3a20 7465 7374 696e 6733 ot:.testing3 11:59:06.364052 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 64, id 39224, offset 0, flags [DF], proto UDP (17), length 78) node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 50 Facility user (1), Severity notice (5) Msg: Jan 9 11:57:13 above message repeats 6 times 0x0000: 3c31 333e 4a61 6e20 2039 2031 313a 3537 0x0010: 3a31 3320 2061 626f 7665 206d 6573 7361 0x0020: 6765 2072 6570 6561 7473 2036 2074 696d 0x0030: 6573 0x0000: 0030 6e4a 3244 0030 6e4b 2637 0800 4500 .0nJ2D.0nK&7..E. 0x0010: 004e 9938 4000 4011 3c18 10b5 a1f0 10b5 .N.8@.@.<....... 0x0020: a1f4 e03b 0202 003a b2af 3c31 333e 4a61 ...;...:..<13>Ja 0x0030: 6e20 2039 2031 313a 3537 3a31 3320 2061 n..9.11:57:13..a 0x0040: 626f 7665 206d 6573 7361 6765 2072 6570 bove.message.rep 0x0050: 6561 7473 2036 2074 696d 6573 eats.6.times 11:59:06.364302 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39225, offset 0, flags [DF], proto UDP (17), length 62) node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 34 Facility user (1), Severity notice (5) Msg: Jan 9 11:57:13 root: testing8 0x0000: 3c31 333e 4a61 6e20 2039 2031 313a 3537 0x0010: 3a31 3320 726f 6f74 3a20 7465 7374 696e 0x0020: 6738 0x0000: 0030 6e4a 3244 0030 6e4b 2637 0800 4500 .0nJ2D.0nK&7..E. 0x0010: 003e 9939 4000 4011 3c27 10b5 a1f0 10b5 .>.9@.@.<'...... 0x0020: a1f4 e03b 0202 002a a76a 3c31 333e 4a61 ...;...*.j<13>Ja 0x0030: 6e20 2039 2031 313a 3537 3a31 3320 726f n..9.11:57:13.ro 0x0040: 6f74 3a20 7465 7374 696e 6738 ot:.testing8 Is this a bug on how syslogd sends the message or is it a syslog-ng logging problem? Thanks, Manu P.S: Apologies for the long mail