Hi! I've got a central log server running the OSE 3.1.3 version of syslog-ng: dpkg -l syslog-ng Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Description +++-========================================-========================================-================================================================================================ ii syslog-ng 3.1.3-3 Next generation logging daemon I have dns lookup turned on via: options { use_dns(yes); dns_cache(2000); dns_cache_expire(87600); }; And this seems to work just fine...except for a certain type of device on our network. We have a number of UPSes that log to our central log server and it seems that the dns look ups do not work for those (types of devices). % cd /var/log/syslog-ng/remote_clients % ls -d 10.* 10.25.32.4 10.25.5.15 10.25.5.19 10.25.5.26 10.25.5.35 10.25.5.4 10.25.5.44 10.25.5.51 10.25.5.6 10.25.5.65 10.25.5.69 10.25.5.76 10.25.5.1 10.25.5.16 10.25.5.2 10.25.5.27 10.25.5.36 10.25.5.40 10.25.5.49 10.25.5.52 10.25.5.60 10.25.5.66 10.25.5.7 10.25.5.79 10.25.5.10 10.25.5.17 10.25.5.20 10.25.5.28 10.25.5.37 10.25.5.41 10.25.5.5 10.25.5.55 10.25.5.61 10.25.5.67 10.25.5.72 10.25.5.81 10.25.5.14 10.25.5.18 10.25.5.23 10.25.5.3 10.25.5.38 10.25.5.43 10.25.5.50 10.25.5.58 10.25.5.62 10.25.5.68 10.25.5.75 10.25.5.9 When I look up those IP addresses, they are *all* APC batteries (UPSes). For instance: % dig -x 10.25.5.43 +short kplz246Abat1.d.umn.edu. Is it possible that they are sending some sort of munged data to the log server and syslog-ng is not able to perform the (reverse) name lookup? Any advice? Thanks, much! -Matt Zagrabelny
Sent: Mon Aug 29 2011 15:20:51 GMT-0600 (MST) From: Matt Zagrabelny <mzagrabe@d.umn.edu> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] malformed syslog packets?
Hi!
I've got a central log server running the OSE 3.1.3 version of syslog-ng:
dpkg -l syslog-ng Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Description +++-========================================-========================================-================================================================================================ ii syslog-ng 3.1.3-3 Next generation logging daemon
I have dns lookup turned on via:
options { use_dns(yes); dns_cache(2000); dns_cache_expire(87600); };
And this seems to work just fine...except for a certain type of device on our network.
We have a number of UPSes that log to our central log server and it seems that the dns look ups do not work for those (types of devices).
% cd /var/log/syslog-ng/remote_clients % ls -d 10.* 10.25.32.4 10.25.5.15 10.25.5.19 10.25.5.26 10.25.5.35 10.25.5.4 10.25.5.44 10.25.5.51 10.25.5.6 10.25.5.65 10.25.5.69 10.25.5.76 10.25.5.1 10.25.5.16 10.25.5.2 10.25.5.27 10.25.5.36 10.25.5.40 10.25.5.49 10.25.5.52 10.25.5.60 10.25.5.66 10.25.5.7 10.25.5.79 10.25.5.10 10.25.5.17 10.25.5.20 10.25.5.28 10.25.5.37 10.25.5.41 10.25.5.5 10.25.5.55 10.25.5.61 10.25.5.67 10.25.5.72 10.25.5.81 10.25.5.14 10.25.5.18 10.25.5.23 10.25.5.3 10.25.5.38 10.25.5.43 10.25.5.50 10.25.5.58 10.25.5.62 10.25.5.68 10.25.5.75 10.25.5.9
When I look up those IP addresses, they are *all* APC batteries (UPSes).
For instance:
% dig -x 10.25.5.43 +short kplz246Abat1.d.umn.edu.
Is it possible that they are sending some sort of munged data to the log server and syslog-ng is not able to perform the (reverse) name lookup?
Any advice?
Thanks, much!
-Matt Zagrabelny ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
What macro are you using for the file name?
On Mon, Aug 29, 2011 at 5:10 PM, <syslogng@feystorm.net> wrote:
Sent: Mon Aug 29 2011 15:20:51 GMT-0600 (MST) From: Matt Zagrabelny <mzagrabe@d.umn.edu> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] malformed syslog packets?
Hi!
I've got a central log server running the OSE 3.1.3 version of syslog-ng:
dpkg -l syslog-ng Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Description +++-========================================-========================================-================================================================================================ ii syslog-ng 3.1.3-3 Next generation logging daemon
I have dns lookup turned on via:
options { use_dns(yes); dns_cache(2000); dns_cache_expire(87600); };
And this seems to work just fine...except for a certain type of device on our network.
We have a number of UPSes that log to our central log server and it seems that the dns look ups do not work for those (types of devices).
% cd /var/log/syslog-ng/remote_clients % ls -d 10.* 10.25.32.4 10.25.5.15 10.25.5.19 10.25.5.26 10.25.5.35 10.25.5.4 10.25.5.44 10.25.5.51 10.25.5.6 10.25.5.65 10.25.5.69 10.25.5.76 10.25.5.1 10.25.5.16 10.25.5.2 10.25.5.27 10.25.5.36 10.25.5.40 10.25.5.49 10.25.5.52 10.25.5.60 10.25.5.66 10.25.5.7 10.25.5.79 10.25.5.10 10.25.5.17 10.25.5.20 10.25.5.28 10.25.5.37 10.25.5.41 10.25.5.5 10.25.5.55 10.25.5.61 10.25.5.67 10.25.5.72 10.25.5.81 10.25.5.14 10.25.5.18 10.25.5.23 10.25.5.3 10.25.5.38 10.25.5.43 10.25.5.50 10.25.5.58 10.25.5.62 10.25.5.68 10.25.5.75 10.25.5.9
When I look up those IP addresses, they are *all* APC batteries (UPSes).
For instance:
% dig -x 10.25.5.43 +short kplz246Abat1.d.umn.edu .
Is it possible that they are sending some sort of munged data to the log server and syslog-ng is not able to perform the (reverse) name lookup?
Any advice?
What macro are you using for the file name?
I believe $HOST. destination d_remote_clients { file( "/var/log/syslog-ng/remote_clients/$HOST/$YEAR/$MONTH/$DAY/$FACILITY" owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes) ); }; -mz
Sent: Mon Aug 29 2011 17:10:19 GMT-0600 (MST) From: Matt Zagrabelny <mzagrabe@d.umn.edu> To: syslogng@feystorm.net "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] malformed syslog packets?
On Mon, Aug 29, 2011 at 5:10 PM,<syslogng@feystorm.net> wrote:
Sent: Mon Aug 29 2011 15:20:51 GMT-0600 (MST) From: Matt Zagrabelny<mzagrabe@d.umn.edu> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] malformed syslog packets?
Hi!
I've got a central log server running the OSE 3.1.3 version of syslog-ng:
dpkg -l syslog-ng Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Description +++-========================================-========================================-================================================================================================ ii syslog-ng 3.1.3-3 Next generation logging daemon
I have dns lookup turned on via:
options { use_dns(yes); dns_cache(2000); dns_cache_expire(87600); };
And this seems to work just fine...except for a certain type of device on our network.
We have a number of UPSes that log to our central log server and it seems that the dns look ups do not work for those (types of devices).
% cd /var/log/syslog-ng/remote_clients % ls -d 10.* 10.25.32.4 10.25.5.15 10.25.5.19 10.25.5.26 10.25.5.35 10.25.5.4 10.25.5.44 10.25.5.51 10.25.5.6 10.25.5.65 10.25.5.69 10.25.5.76 10.25.5.1 10.25.5.16 10.25.5.2 10.25.5.27 10.25.5.36 10.25.5.40 10.25.5.49 10.25.5.52 10.25.5.60 10.25.5.66 10.25.5.7 10.25.5.79 10.25.5.10 10.25.5.17 10.25.5.20 10.25.5.28 10.25.5.37 10.25.5.41 10.25.5.5 10.25.5.55 10.25.5.61 10.25.5.67 10.25.5.72 10.25.5.81 10.25.5.14 10.25.5.18 10.25.5.23 10.25.5.3 10.25.5.38 10.25.5.43 10.25.5.50 10.25.5.58 10.25.5.62 10.25.5.68 10.25.5.75 10.25.5.9
When I look up those IP addresses, they are *all* APC batteries (UPSes).
For instance:
% dig -x 10.25.5.43 +short kplz246Abat1.d.umn.edu .
Is it possible that they are sending some sort of munged data to the log server and syslog-ng is not able to perform the (reverse) name lookup?
Any advice?
What macro are you using for the file name?
I believe $HOST.
destination d_remote_clients { file( "/var/log/syslog-ng/remote_clients/$HOST/$YEAR/$MONTH/$DAY/$FACILITY" owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes) ); };
-mz
That would be the issue. You want $HOST_FROM From the user guide: HOST *Description:* The name of the source host where the message originates from. If the message traverses several hosts and the /|chain_hostnames()|/ <http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/index.html-single.html#option_chain_hostnames> option is on, the first host in the chain is used. To use this macro, make sure that the /|keep_hostname()|/ option is enabled. HOST_FROM *Description:* Name of the host that sent the message to syslog-ng, as resolved by syslog-ng using DNS. If the message traverses several hosts, this is the last host in the chain. To use this macro, make sure that the /|keep_hostname()|/ option is enabled.
On Mon, Aug 29, 2011 at 7:26 PM, <syslogng@feystorm.net> wrote:
Sent: Mon Aug 29 2011 17:10:19 GMT-0600 (MST) From: Matt Zagrabelny <mzagrabe@d.umn.edu> To: syslogng@feystorm.net "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] malformed syslog packets?
On Mon, Aug 29, 2011 at 5:10 PM, <syslogng@feystorm.net> wrote:
Sent: Mon Aug 29 2011 15:20:51 GMT-0600 (MST) From: Matt Zagrabelny <mzagrabe@d.umn.edu> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] malformed syslog packets?
Hi!
I've got a central log server running the OSE 3.1.3 version of syslog-ng:
dpkg -l syslog-ng Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Description +++-========================================-========================================-================================================================================================ ii syslog-ng 3.1.3-3 Next generation logging daemon
I have dns lookup turned on via:
options { use_dns(yes); dns_cache(2000); dns_cache_expire(87600); };
And this seems to work just fine...except for a certain type of device on our network.
We have a number of UPSes that log to our central log server and it seems that the dns look ups do not work for those (types of devices).
% cd /var/log/syslog-ng/remote_clients % ls -d 10.* 10.25.32.4 10.25.5.15 10.25.5.19 10.25.5.26 10.25.5.35 10.25.5.4 10.25.5.44 10.25.5.51 10.25.5.6 10.25.5.65 10.25.5.69 10.25.5.76 10.25.5.1 10.25.5.16 10.25.5.2 10.25.5.27 10.25.5.36 10.25.5.40 10.25.5.49 10.25.5.52 10.25.5.60 10.25.5.66 10.25.5.7 10.25.5.79 10.25.5.10 10.25.5.17 10.25.5.20 10.25.5.28 10.25.5.37 10.25.5.41 10.25.5.5 10.25.5.55 10.25.5.61 10.25.5.67 10.25.5.72 10.25.5.81 10.25.5.14 10.25.5.18 10.25.5.23 10.25.5.3 10.25.5.38 10.25.5.43 10.25.5.50 10.25.5.58 10.25.5.62 10.25.5.68 10.25.5.75 10.25.5.9
When I look up those IP addresses, they are *all* APC batteries (UPSes).
For instance:
% dig -x 10.25.5.43 +short kplz246Abat1.d.umn.edu .
Is it possible that they are sending some sort of munged data to the log server and syslog-ng is not able to perform the (reverse) name lookup?
Any advice?
What macro are you using for the file name?
I believe $HOST.
destination d_remote_clients { file( "/var/log/syslog-ng/remote_clients/$HOST/$YEAR/$MONTH/$DAY/$FACILITY" owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes) ); };
-mz
That would be the issue. You want $HOST_FROM
Super! I have tweaked the configs.
From the user guide:
HOST
Description: The name of the source host where the message originates from. If the message traverses several hosts and the chain_hostnames() option is on, the first host in the chain is used. To use this macro, make sure that the keep_hostname() option is enabled.
Okay. However there is only one host in the chain: APC UPS (udp 514)-> syslog_server doesn't syslog-ng do (reverse) name lookups when using the HOST macro?
HOST_FROM
Description: Name of the host that sent the message to syslog-ng, as resolved by syslog-ng using DNS. If the message traverses several hosts, this is the last host in the chain. To use this macro, make sure that the keep_hostname() option is enabled.
Thanks again! -mz
Sent: Mon Aug 29 2011 19:36:28 GMT-0600 (MST) From: Matt Zagrabelny <mzagrabe@d.umn.edu> To: syslogng@feystorm.net "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] malformed syslog packets?
That would be the issue. You want $HOST_FROM
Super! I have tweaked the configs.
From the user guide:
HOST
Description: The name of the source host where the message originates from. If the message traverses several hosts and the chain_hostnames() option is on, the first host in the chain is used. To use this macro, make sure that the keep_hostname() option is enabled. Okay. However there is only one host in the chain:
APC UPS (udp 514)-> syslog_server
doesn't syslog-ng do (reverse) name lookups when using the HOST macro? It uses the host name as provided by the remote server. So the APC is using its IP as the hostname, while all your other hosts were using an actual hostname as the hostname.
participants (3)
-
Matt Zagrabelny
-
Patrick H.
-
syslogng@feystorm.net