Hi, I'm having some problems properly storing messages received from AIX servers. The format which they come in is like this: "Jul 5 19:30:59 Message forwarded from server2: su: from root to ..." According to a thread on this mailing list (https://lists.balabit.hu/pipermail/syslog-ng/2006-October/009372.html), and if I understood correctly, this should be OK, and I should get the expected behaviour of replacing this with the form: "Jul 5 19:30:59 server2 su: from root to ..." However, what I get in the log is: "Jul 5 19:30:59 192.168.1.1 su: from root to ..." Where the 192.168.1.1 is the IP of the machine I got the message from and not the name of the server (server2 in this case). The issue here is that these messages belong to several machines which are sending their syslog messages to a NIM server which in turn forwards them to our syslog server, so the IP we end up with is not the machine's IP, but rather the NIM server IP, which is not what we need. I tried parsing the message on arrival, but it doesn't work, I suppose it's because syslog-ng processes it before the parsers kick in. Is there a way to do this? TIA, Ricardo.
Hi, did you try setting the keep_hostname(yes) global option? Robert On 07/05/2011 09:05 PM, Ricardo Oliveira wrote:
Hi,
I'm having some problems properly storing messages received from AIX servers. The format which they come in is like this:
"Jul 5 19:30:59 Message forwarded from server2: su: from root to ..."
According to a thread on this mailing list (https://lists.balabit.hu/pipermail/syslog-ng/2006-October/009372.html), and if I understood correctly, this should be OK, and I should get the expected behaviour of replacing this with the form:
"Jul 5 19:30:59 server2 su: from root to ..."
However, what I get in the log is:
"Jul 5 19:30:59 192.168.1.1 su: from root to ..."
Where the 192.168.1.1 is the IP of the machine I got the message from and not the name of the server (server2 in this case).
The issue here is that these messages belong to several machines which are sending their syslog messages to a NIM server which in turn forwards them to our syslog server, so the IP we end up with is not the machine's IP, but rather the NIM server IP, which is not what we need. I tried parsing the message on arrival, but it doesn't work, I suppose it's because syslog-ng processes it before the parsers kick in.
Is there a way to do this?
TIA, Ricardo.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, Thanks for your reply. I did, but it still keeps the IP address, so I removed it. These are my options: long_hostnames(off); # doesn't actually help on Solaris, log(3) truncates at 1024 chars log_msg_size(8192); # buffer just a little for performance # sync(1); <- Deprecated - use flush_lines() instead flush_lines(1); # memory is cheap, buffer messages unable to write (like to loghost) log_fifo_size(16384); # Hosts we don't want syslog from #bad_hostname("^(ctld.|cmd|tmd|last)$"); # The time to wait before a dead connection is reestablished (seconds) time_reopen(10); #Use DNS so that our good names are used, not hostnames use_dns(no); dns_cache(yes); #Use the whole DNS name use_fqdn(no); keep_hostname(no); chain_hostnames(no); #Read permission for everyone perm(0644); # The default action of syslog-ng 1.6.0 is to log a STATS line # to the file every 10 minutes. That's pretty ugly after a while. # Change it to every 12 hours so you get a nice daily update of # # how many messages syslog-ng missed (0). # stats(43200); Thanks, Ricardo.
Date: Wed, 6 Jul 2011 09:04:51 +0200 From: frobert@balabit.hu To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] AIX Syslog Messages
Hi,
did you try setting the keep_hostname(yes) global option?
Robert
On 07/05/2011 09:05 PM, Ricardo Oliveira wrote:
Hi,
I'm having some problems properly storing messages received from AIX servers. The format which they come in is like this:
"Jul 5 19:30:59 Message forwarded from server2: su: from root to ..."
According to a thread on this mailing list (https://lists.balabit.hu/pipermail/syslog-ng/2006-October/009372.html), and if I understood correctly, this should be OK, and I should get the expected behaviour of replacing this with the form:
"Jul 5 19:30:59 server2 su: from root to ..."
However, what I get in the log is:
"Jul 5 19:30:59 192.168.1.1 su: from root to ..."
Where the 192.168.1.1 is the IP of the machine I got the message from and not the name of the server (server2 in this case).
The issue here is that these messages belong to several machines which are sending their syslog messages to a NIM server which in turn forwards them to our syslog server, so the IP we end up with is not the machine's IP, but rather the NIM server IP, which is not what we need. I tried parsing the message on arrival, but it doesn't work, I suppose it's because syslog-ng processes it before the parsers kick in.
Is there a way to do this?
TIA, Ricardo.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Does anyone have an idea to "fix" this behavior? :) I'd be happy with a workaround, if it's not a question of a problem with my options. Like I said, I tried regexping it, but it also doesn't work. Thanks, Ricardo. From: n3g4s@hotmail.com To: syslog-ng@lists.balabit.hu Date: Wed, 6 Jul 2011 10:46:34 +0000 Subject: Re: [syslog-ng] AIX Syslog Messages Hi, Thanks for your reply. I did, but it still keeps the IP address, so I removed it. These are my options: long_hostnames(off); # doesn't actually help on Solaris, log(3) truncates at 1024 chars log_msg_size(8192); # buffer just a little for performance # sync(1); <- Deprecated - use flush_lines() instead flush_lines(1); # memory is cheap, buffer messages unable to write (like to loghost) log_fifo_size(16384); # Hosts we don't want syslog from #bad_hostname("^(ctld.|cmd|tmd|last)$"); # The time to wait before a dead connection is reestablished (seconds) time_reopen(10); #Use DNS so that our good names are used, not hostnames use_dns(no); dns_cache(yes); #Use the whole DNS name use_fqdn(no); keep_hostname(no); chain_hostnames(no); #Read permission for everyone perm(0644); # The default action of syslog-ng 1.6.0 is to log a STATS line # to the file every 10 minutes. That's pretty ugly after a while. # Change it to every 12 hours so you get a nice daily update of # # how many messages syslog-ng missed (0). # stats(43200); Thanks, Ricardo.
Date: Wed, 6 Jul 2011 09:04:51 +0200 From: frobert@balabit.hu To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] AIX Syslog Messages
Hi,
did you try setting the keep_hostname(yes) global option?
Robert
On 07/05/2011 09:05 PM, Ricardo Oliveira wrote:
Hi,
I'm having some problems properly storing messages received from AIX servers. The format which they come in is like this:
"Jul 5 19:30:59 Message forwarded from server2: su: from root to ..."
According to a thread on this mailing list (https://lists.balabit.hu/pipermail/syslog-ng/2006-October/009372.html), and if I understood correctly, this should be OK, and I should get the expected behaviour of replacing this with the form:
"Jul 5 19:30:59 server2 su: from root to ..."
However, what I get in the log is:
"Jul 5 19:30:59 192.168.1.1 su: from root to ..."
Where the 192.168.1.1 is the IP of the machine I got the message from and not the name of the server (server2 in this case).
The issue here is that these messages belong to several machines which are sending their syslog messages to a NIM server which in turn forwards them to our syslog server, so the IP we end up with is not the machine's IP, but rather the NIM server IP, which is not what we need. I tried parsing the message on arrival, but it doesn't work, I suppose it's because syslog-ng processes it before the parsers kick in.
Is there a way to do this?
TIA, Ricardo.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, This is how syslog-ng tries to find a proper hostname: 1) parse the one in the message if present. The AIX "message forwarded from" format contains a source hostname, and this is added into the $HOST macro. 2) if keep-hostname() is set to "no" or the $HOST is empty (e.g. parsing failed because the incoming message had no $HOST part in the first place), then syslog-ng tries to resolve it based on the sender IP address. 3) when resolving an address, syslog-ng optionally uses DNS, a local /etc/hosts file. If DNS is not in use, or the IP cannot be resolved, it uses the IP address. The sample options you've pasted contains keep_hostname(no), which explains why you see an IP address there. You state that even with keep_hostname(yes), the same behaviour remains. This might be a bug then, however in order to diagnose the problem, please send the packet contents as received by syslog-ng (too see what it really receives), and the exact settings at the reception. Thanks. On Wed, 2011-07-06 at 10:46 +0000, Ricardo Oliveira wrote:
Hi,
Thanks for your reply. I did, but it still keeps the IP address, so I removed it.
These are my options:
long_hostnames(off); # doesn't actually help on Solaris, log(3) truncates at 1024 chars log_msg_size(8192); # buffer just a little for performance # sync(1); <- Deprecated - use flush_lines() instead flush_lines(1); # memory is cheap, buffer messages unable to write (like to loghost) log_fifo_size(16384); # Hosts we don't want syslog from #bad_hostname("^(ctld.|cmd|tmd|last)$"); # The time to wait before a dead connection is reestablished (seconds) time_reopen(10); #Use DNS so that our good names are used, not hostnames use_dns(no); dns_cache(yes); #Use the whole DNS name use_fqdn(no); keep_hostname(no); chain_hostnames(no); #Read permission for everyone perm(0644); # The default action of syslog-ng 1.6.0 is to log a STATS line # to the file every 10 minutes. That's pretty ugly after a while. # Change it to every 12 hours so you get a nice daily update of # # how many messages syslog-ng missed (0). # stats(43200);
Thanks, Ricardo.
Date: Wed, 6 Jul 2011 09:04:51 +0200 From: frobert@balabit.hu To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] AIX Syslog Messages
Hi,
did you try setting the keep_hostname(yes) global option?
Robert
On 07/05/2011 09:05 PM, Ricardo Oliveira wrote:
Hi,
I'm having some problems properly storing messages received from AIX servers. The format which they come in is like this:
"Jul 5 19:30:59 Message forwarded from server2: su: from root to ..."
According to a thread on this mailing list
(https://lists.balabit.hu/pipermail/syslog-ng/2006-October/009372.html), and if
I understood correctly, this should be OK, and I should get the expected behaviour of replacing this with the form:
"Jul 5 19:30:59 server2 su: from root to ..."
However, what I get in the log is:
"Jul 5 19:30:59 192.168.1.1 su: from root to ..."
Where the 192.168.1.1 is the IP of the machine I got the message from and not the name of the server (server2 in this case).
The issue here is that these messages belong to several machines which are sending their syslog messages to a NIM server which in turn forwards them to our syslog server, so the IP we end up with is not the machine's IP, but rather the NIM server IP, which is not what we need. I tried parsing the message on arrival, but it doesn't work, I suppose it's because syslog-ng processes it before the parsers kick in.
Is there a way to do this?
TIA, Ricardo.
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi
participants (3)
-
Balazs Scheidler
-
Fekete Robert
-
Ricardo Oliveira