Syslog destination time/folder issues
Hi All, I am experiencing a weird problem with Syslog-NG 3.8.1 on Ubuntu 14.04 When syslog receives syslog messages from couple of specific nodes it saves it on a destination folder as per the config below: source s_rohnet { network( transport("udp") ); }; destination d_rohnet_switches { file("/var/log/ROHNetwork/${YEAR}.${WEEK}/${HOST}.log" create-dirs(yes) dir-owner("rohadmin")); }; The devices are NTP synchronised and the date output is correct on the Ubuntu server:
date
Tue Nov 22 11:21:14 GMT 2016 Beside these the log folders created where the files gets stored are: /2015.51/192.168.33.8.log (it should be /2016.47/). This is happening only for two nodes while all the rest seems to work fine. I have captured some network traffic and the message received by syslog-ng on the network card seems also correct as per Wireshark output: Syslog message: LOCAL6.NOTICE: NOV 22 10:31:23 192.168.33.8-1 CMDLOGGER[165319912]: cmd_logger_api.c(83) 13518 %% CLI:192.168.32.100:root:User logged in This is a Dell switch and I am opening a case with them but I would like to know where else I should check for configuration errors. Syslog config is exactly the one reported above. Any idea of what I could check for further troubleshooting on the Syslog side? Thanks, Marco
The issue is that syslog-ng only processes mixed case month names, e.g. "Nov" instead of "NOV" This pull request contains the as-of-now unmerged fix: https://github.com/balabit/syslog-ng/pull/1263 Any testing is absolutely welcome. On Tue, Nov 22, 2016 at 12:30 PM, Marco Mignone <info@marcomignone.com> wrote:
Hi All, I am experiencing a weird problem with Syslog-NG 3.8.1 on Ubuntu 14.04
When syslog receives syslog messages from couple of specific nodes it saves it on a destination folder as per the config below:
source s_rohnet { network( transport("udp") ); };
destination d_rohnet_switches { file("/var/log/ROHNetwork/${YEAR}.${WEEK}/${HOST}.log" create-dirs(yes) dir-owner("rohadmin")); };
The devices are NTP synchronised and the date output is correct on the Ubuntu server:
date
Tue Nov 22 11:21:14 GMT 2016
Beside these the log folders created where the files gets stored are: */2015.51*/192.168.33.8.log (it should be /*2016.47*/).
This is happening only for two nodes while all the rest seems to work fine.
I have captured some network traffic and the message received by syslog-ng on the network card seems also correct as per Wireshark output:
Syslog message: LOCAL6.NOTICE: NOV 22 10:31:23 192.168.33.8-1 CMDLOGGER[165319912]: cmd_logger_api.c(83) 13518 %% CLI:192.168.32.100:root:User logged in
This is a Dell switch and I am opening a case with them but I would like to know where else I should check for configuration errors.
Syslog config is exactly the one reported above.
Any idea of what I could check for further troubleshooting on the Syslog side?
Thanks, Marco
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi
Hi Bazsi, Thanks for the info. Do you think that can affect also the ‘year’ behaviour? I would love to provide some help testing this... but I am not good at it :( Thanks for the explanation and for pointing at the mod. Regards, Marco
On 22 Nov 2016, at 23:41, Balazs Scheidler <bazsi77@gmail.com> wrote:
The issue is that syslog-ng only processes mixed case month names, e.g. "Nov" instead of "NOV"
This pull request contains the as-of-now unmerged fix: https://github.com/balabit/syslog-ng/pull/1263 <https://github.com/balabit/syslog-ng/pull/1263>
Any testing is absolutely welcome.
On Tue, Nov 22, 2016 at 12:30 PM, Marco Mignone <info@marcomignone.com <mailto:info@marcomignone.com>> wrote: Hi All, I am experiencing a weird problem with Syslog-NG 3.8.1 on Ubuntu 14.04
When syslog receives syslog messages from couple of specific nodes it saves it on a destination folder as per the config below:
source s_rohnet { network( transport("udp") ); };
destination d_rohnet_switches { file("/var/log/ROHNetwork/${YEAR}.${WEEK}/${HOST}.log" create-dirs(yes) dir-owner("rohadmin")); };
The devices are NTP synchronised and the date output is correct on the Ubuntu server:
date
Tue Nov 22 11:21:14 GMT 2016
Beside these the log folders created where the files gets stored are: /2015.51/192.168.33.8.log (it should be /2016.47/).
This is happening only for two nodes while all the rest seems to work fine.
I have captured some network traffic and the message received by syslog-ng on the network card seems also correct as per Wireshark output:
Syslog message: LOCAL6.NOTICE: NOV 22 10:31:23 192.168.33.8-1 CMDLOGGER[165319912]: cmd_logger_api.c(83) 13518 %% CLI:192.168.32.100:root:User logged in
This is a Dell switch and I am opening a case with them but I would like to know where else I should check for configuration errors.
Syslog config is exactly the one reported above.
Any idea of what I could check for further troubleshooting on the Syslog side?
Thanks, Marco
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
-- Bazsi ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, I have upstream packages for Ubuntu 14.04 (and Ubuntu 16.04, Debian 8): https://build.opensuse.org/package/show/home:laszlo_budai:syslog-ng-upstream... This version contains the fix. regards, Laszlo Budai On Tue, Nov 22, 2016 at 12:30 PM, Marco Mignone <info@marcomignone.com> wrote:
Hi All, I am experiencing a weird problem with Syslog-NG 3.8.1 on Ubuntu 14.04
When syslog receives syslog messages from couple of specific nodes it saves it on a destination folder as per the config below:
source s_rohnet { network( transport("udp") ); };
destination d_rohnet_switches { file("/var/log/ROHNetwork/${YEAR}.${WEEK}/${HOST}.log" create-dirs(yes) dir-owner("rohadmin")); };
The devices are NTP synchronised and the date output is correct on the Ubuntu server:
date
Tue Nov 22 11:21:14 GMT 2016
Beside these the log folders created where the files gets stored are: */2015.51*/192.168.33.8.log (it should be /*2016.47*/).
This is happening only for two nodes while all the rest seems to work fine.
I have captured some network traffic and the message received by syslog-ng on the network card seems also correct as per Wireshark output:
Syslog message: LOCAL6.NOTICE: NOV 22 10:31:23 192.168.33.8-1 CMDLOGGER[165319912]: cmd_logger_api.c(83) 13518 %% CLI:192.168.32.100:root:User logged in
This is a Dell switch and I am opening a case with them but I would like to know where else I should check for configuration errors.
Syslog config is exactly the one reported above.
Any idea of what I could check for further troubleshooting on the Syslog side?
Thanks, Marco
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
Balazs Scheidler
-
Budai, László
-
Marco Mignone