Sent: Mon Aug 29 2011 17:10:19 GMT-0600 (MST) From: Matt Zagrabelny <mzagrabe@d.umn.edu> To: syslogng@feystorm.net "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] malformed syslog packets?
On Mon, Aug 29, 2011 at 5:10 PM,<syslogng@feystorm.net> wrote:
Sent: Mon Aug 29 2011 15:20:51 GMT-0600 (MST) From: Matt Zagrabelny<mzagrabe@d.umn.edu> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] malformed syslog packets?
Hi!
I've got a central log server running the OSE 3.1.3 version of syslog-ng:
dpkg -l syslog-ng Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Description +++-========================================-========================================-================================================================================================ ii syslog-ng 3.1.3-3 Next generation logging daemon
I have dns lookup turned on via:
options { use_dns(yes); dns_cache(2000); dns_cache_expire(87600); };
And this seems to work just fine...except for a certain type of device on our network.
We have a number of UPSes that log to our central log server and it seems that the dns look ups do not work for those (types of devices).
% cd /var/log/syslog-ng/remote_clients % ls -d 10.* 10.25.32.4 10.25.5.15 10.25.5.19 10.25.5.26 10.25.5.35 10.25.5.4 10.25.5.44 10.25.5.51 10.25.5.6 10.25.5.65 10.25.5.69 10.25.5.76 10.25.5.1 10.25.5.16 10.25.5.2 10.25.5.27 10.25.5.36 10.25.5.40 10.25.5.49 10.25.5.52 10.25.5.60 10.25.5.66 10.25.5.7 10.25.5.79 10.25.5.10 10.25.5.17 10.25.5.20 10.25.5.28 10.25.5.37 10.25.5.41 10.25.5.5 10.25.5.55 10.25.5.61 10.25.5.67 10.25.5.72 10.25.5.81 10.25.5.14 10.25.5.18 10.25.5.23 10.25.5.3 10.25.5.38 10.25.5.43 10.25.5.50 10.25.5.58 10.25.5.62 10.25.5.68 10.25.5.75 10.25.5.9
When I look up those IP addresses, they are *all* APC batteries (UPSes).
For instance:
% dig -x 10.25.5.43 +short kplz246Abat1.d.umn.edu .
Is it possible that they are sending some sort of munged data to the log server and syslog-ng is not able to perform the (reverse) name lookup?
Any advice?
What macro are you using for the file name?
I believe $HOST.
destination d_remote_clients { file( "/var/log/syslog-ng/remote_clients/$HOST/$YEAR/$MONTH/$DAY/$FACILITY" owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes) ); };
-mz
That would be the issue. You want $HOST_FROM From the user guide: HOST *Description:* The name of the source host where the message originates from. If the message traverses several hosts and the /|chain_hostnames()|/ <http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/index.html-single.html#option_chain_hostnames> option is on, the first host in the chain is used. To use this macro, make sure that the /|keep_hostname()|/ option is enabled. HOST_FROM *Description:* Name of the host that sent the message to syslog-ng, as resolved by syslog-ng using DNS. If the message traverses several hosts, this is the last host in the chain. To use this macro, make sure that the /|keep_hostname()|/ option is enabled.