I've recently started using syslog-ng 3.0.4 on a Solaris system to collect logs from a number of devices and servers. I've noticed a few instances where the first word of a log message is dropped from the entry written to file when comparing to the standard syslogd. One example is a message (local1.err) that comes over the network as: Sep 10 09:29:32 duplicate IP address 1.1.1.1 sent from link address 00:00:00:00:00:00 Without the store-legacy-msghdr flag, the resulting message in my log file generated by syslog-ng is: Sep 10 09:29:32 so7761 IP: address 1.1.1.1 sent from link address 00:00:00:00:00:00 If I put the store-legacy-msghdr flag in, I only get a very minor change, no colon: Sep 10 09:29:32 so7761 IP address 1.1.1.1 sent from link address 00:00:00:00:00:00 Is there any way I can get these entries to log correctly? Thanks, Tim
In syslog protocol the first word after the timestamp is either (a) the name of the host that sent the message or (b) the name of the application that sent the message, followed by a colon. If there is no colon it is interpreted as format (a). -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Rudolph, Timothy L Sent: 10 September 2009 16:27 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] First word of log message dropped I've recently started using syslog-ng 3.0.4 on a Solaris system to collect logs from a number of devices and servers. I've noticed a few instances where the first word of a log message is dropped from the entry written to file when comparing to the standard syslogd. One example is a message (local1.err) that comes over the network as: Sep 10 09:29:32 duplicate IP address 1.1.1.1 sent from link address 00:00:00:00:00:00 Without the store-legacy-msghdr flag, the resulting message in my log file generated by syslog-ng is: Sep 10 09:29:32 so7761 IP: address 1.1.1.1 sent from link address 00:00:00:00:00:00 If I put the store-legacy-msghdr flag in, I only get a very minor change, no colon: Sep 10 09:29:32 so7761 IP address 1.1.1.1 sent from link address 00:00:00:00:00:00 Is there any way I can get these entries to log correctly? Thanks, Tim ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Thu, 2009-09-10 at 18:33 +0000, Fegan, Joe wrote:
In syslog protocol the first word after the timestamp is either (a) the name of the host that sent the message or (b) the name of the application that sent the message, followed by a colon. If there is no colon it is interpreted as format (a).
and there's a workaround for this issue: use the bad_hostnames() regexp to specify which words should not be accounted as a hostname. e.g. you need bad_hostnames("^duplicate$") which will cause syslog-ng to recognize that duplicate is not a hostname, rather a program name and everything after it the message payload: HOST=<sender IP address or resolved DNS name> PROGRAM=duplicate MSG=IP address 1.1.1.1 sent from link address 00:00:00:00:00:00 If you don't use store-legacy-msghdr this is what you'll get: <datetime> <sender host> duplicate: IP address and with store-legacy-msghdr the colon will be omitted.
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Rudolph, Timothy L Sent: 10 September 2009 16:27 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] First word of log message dropped
I've recently started using syslog-ng 3.0.4 on a Solaris system to collect logs from a number of devices and servers. I've noticed a few instances where the first word of a log message is dropped from the entry written to file when comparing to the standard syslogd.
One example is a message (local1.err) that comes over the network as:
Sep 10 09:29:32 duplicate IP address 1.1.1.1 sent from link address 00:00:00:00:00:00
Without the store-legacy-msghdr flag, the resulting message in my log file generated by syslog-ng is:
Sep 10 09:29:32 so7761 IP: address 1.1.1.1 sent from link address 00:00:00:00:00:00
If I put the store-legacy-msghdr flag in, I only get a very minor change, no colon:
Sep 10 09:29:32 so7761 IP address 1.1.1.1 sent from link address 00:00:00:00:00:00
Is there any way I can get these entries to log correctly?
Thanks,
Tim ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Bazsi
Thank you both. I see that the messages are not in correct syslog format but am limited to what I can do at the source of the message. The workaround, with bad_hostname(), does exactly what I needed. Thanks again, Tim -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Friday, September 11, 2009 7:13 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] First word of log message dropped On Thu, 2009-09-10 at 18:33 +0000, Fegan, Joe wrote:
In syslog protocol the first word after the timestamp is either (a) the name of the host that sent the message or (b) the name of the application that sent the message, followed by a colon. If there is no colon it is interpreted as format (a).
and there's a workaround for this issue: use the bad_hostnames() regexp to specify which words should not be accounted as a hostname. e.g. you need bad_hostnames("^duplicate$") which will cause syslog-ng to recognize that duplicate is not a hostname, rather a program name and everything after it the message payload: HOST=<sender IP address or resolved DNS name> PROGRAM=duplicate MSG=IP address 1.1.1.1 sent from link address 00:00:00:00:00:00 If you don't use store-legacy-msghdr this is what you'll get: <datetime> <sender host> duplicate: IP address and with store-legacy-msghdr the colon will be omitted.
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Rudolph, Timothy L Sent: 10 September 2009 16:27 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] First word of log message dropped
I've recently started using syslog-ng 3.0.4 on a Solaris system to collect logs from a number of devices and servers. I've noticed a few instances where the first word of a log message is dropped from the entry written to file when comparing to the standard syslogd.
One example is a message (local1.err) that comes over the network as:
Sep 10 09:29:32 duplicate IP address 1.1.1.1 sent from link address 00:00:00:00:00:00
Without the store-legacy-msghdr flag, the resulting message in my log file generated by syslog-ng is:
Sep 10 09:29:32 so7761 IP: address 1.1.1.1 sent from link address 00:00:00:00:00:00
If I put the store-legacy-msghdr flag in, I only get a very minor change, no colon:
Sep 10 09:29:32 so7761 IP address 1.1.1.1 sent from link address 00:00:00:00:00:00
Is there any way I can get these entries to log correctly?
Thanks,
Tim
________________________________________________________________________ ______
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
________________________________________________________________________ ______
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Bazsi ________________________________________________________________________ ______ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
participants (3)
-
Balazs Scheidler
-
Fegan, Joe
-
Rudolph, Timothy L