Hi everyone, We've currently got a syslog setup that centralizes our logs from many of our different teirs into one location, using each system's prebuilt syslog. It works at the moment, but we've got some issues. Our main one is that we name our hosts the same in different environments, mainly because these environments are for moving code and configs from 1 step to the next, so to make it easier on people so they don't have to change configurations each time the code moves, hosts share similar names. The problem is that when all the logs come back to the central syslog server, they can't be seperated by host because of the similiarities. So 'web5' in our QA is the same as 'web5' in production. Because of that, we were looking at syslog-ng and while I found a couple references to using FQDN, I've been unable to tell whether or not this is possible. Our machines DO have different FQDNs. For example, web5.qa.location.domain.com vs. web5.prod.location.domain.com. If we run our main central server on syslog-ng and replace all the syslog daemon's on each system with it, can we force the FQDN to be given rather then just the base hostname and have the central log server sort the logs into different directories based on the FQDN? Thanks! -- sh
There are a several of different options for dealing with host names and I have not managed to sort them all out yet. The single line explanations in the manual are not enough to work out the details. Be aware that the hostname can be set on either the central log server or on the system generating the logs. The default seems to be that the central server will keep the host name that is in the packet, if there is no hostname in the packet it will do a reverse lookup to determine it. We want to override this but have not spent a lot of time fiddling with the options to see what works. What you want to do is possible it just a matter of figuring out which options you need on the client and server. What is bothering us at the moment is that SUN monitoring crap called SRS manages to generate some syslog records with SRS in the hostname field. So on the central server these all turn up in the same file. I really must sort this out today, sigh... I'd be happy to hear from someone who has already sussed out how these options work! Russell Steven Hajducko wrote:
Hi everyone,
We've currently got a syslog setup that centralizes our logs from many of our different teirs into one location, using each system's prebuilt syslog. It works at the moment, but we've got some issues.
Our main one is that we name our hosts the same in different environments, mainly because these environments are for moving code and configs from 1 step to the next, so to make it easier on people so they don't have to change configurations each time the code moves, hosts share similar names.
The problem is that when all the logs come back to the central syslog server, they can't be seperated by host because of the similiarities. So 'web5' in our QA is the same as 'web5' in production.
Because of that, we were looking at syslog-ng and while I found a couple references to using FQDN, I've been unable to tell whether or not this is possible.
Our machines DO have different FQDNs. For example, web5.qa.location.domain.com vs. web5.prod.location.domain.com. If we run our main central server on syslog-ng and replace all the syslog daemon's on each system with it, can we force the FQDN to be given rather then just the base hostname and have the central log server sort the logs into different directories based on the FQDN?
Thanks!
-- sh
------------------------------------------------------------------------
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Well, as long as it's possible to sort by FQDN rather than just by hostname, I can at least present it as a viable alternative to what we have now. I'll have to set it up in a lab for now and see if I can get it working. -- sh -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Russell Fulton Sent: Thursday, August 24, 2006 1:18 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] FQDN's in syslog-ng There are a several of different options for dealing with host names and I have not managed to sort them all out yet. The single line explanations in the manual are not enough to work out the details. Be aware that the hostname can be set on either the central log server or on the system generating the logs. The default seems to be that the central server will keep the host name that is in the packet, if there is no hostname in the packet it will do a reverse lookup to determine it. We want to override this but have not spent a lot of time fiddling with the options to see what works. What you want to do is possible it just a matter of figuring out which options you need on the client and server. What is bothering us at the moment is that SUN monitoring crap called SRS manages to generate some syslog records with SRS in the hostname field. So on the central server these all turn up in the same file. I really must sort this out today, sigh... I'd be happy to hear from someone who has already sussed out how these options work! Russell Steven Hajducko wrote:
Hi everyone,
We've currently got a syslog setup that centralizes our logs from many
of our different teirs into one location, using each system's prebuilt
syslog. It works at the moment, but we've got some issues.
Our main one is that we name our hosts the same in different environments, mainly because these environments are for moving code and configs from 1 step to the next, so to make it easier on people so
they don't have to change configurations each time the code moves, hosts share similar names.
The problem is that when all the logs come back to the central syslog server, they can't be seperated by host because of the similiarities. So 'web5' in our QA is the same as 'web5' in production.
Because of that, we were looking at syslog-ng and while I found a couple references to using FQDN, I've been unable to tell whether or not this is possible.
Our machines DO have different FQDNs. For example, web5.qa.location.domain.com vs. web5.prod.location.domain.com. If we run our main central server on syslog-ng and replace all the syslog daemon's on each system with it, can we force the FQDN to be given rather then just the base hostname and have the central log server sort the logs into different directories based on the FQDN?
Thanks!
-- sh
---------------------------------------------------------------------- --
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Here are the options that we are using: options { sync (0); time_reopen (10); log_fifo_size (5000); long_hostnames (on); use_dns (yes); use_fqdn (yes); create_dirs (yes); }; And for the most part things are working as we would expect, but a few of our client hosts insist in putting stuff in the host field of the syslog records and this is turning up in the HOST variable rather that the domain name of the source system. Originally we had keep_hostname (yes) so this was the expected behaviour. I have now changed the config file and restarted syslog-ng but it is still writing to the records to a file with the hostname in the packets. I have verified that I have edited the right file by then turning off use_fqdn for a few seconds and seeing all the new directories turn up in the log directory (I've lost count of the time that I have spent hours tearing my hair out because I've edited the wrong copy of the file :) This issue is causing real problems for us because we have some crappy monitoring software on our Solaris boxes which generates syslog records with "SRS" in the host field regardless of what the host name is and we have about 10 of these machines so all the records end up in one file on the central server and we can't tell which they are coming from. I'd rather not chain host names which would seem to be the other solution. We are running syslog-ng-2.0rc1 according to the source file. Cheers, Russell
Hey Russell, This can usually be corrected by forcing the use of tcp as opposed to udp. It doesn't work for all instances, I still haven't figured out why :-( Cheers, Harry Russell Fulton wrote:
Here are the options that we are using:
options { sync (0); time_reopen (10); log_fifo_size (5000); long_hostnames (on); use_dns (yes); use_fqdn (yes); create_dirs (yes); };
And for the most part things are working as we would expect, but a few of our client hosts insist in putting stuff in the host field of the syslog records and this is turning up in the HOST variable rather that the domain name of the source system. Originally we had keep_hostname (yes) so this was the expected behaviour. I have now changed the config file and restarted syslog-ng but it is still writing to the records to a file with the hostname in the packets.
I have verified that I have edited the right file by then turning off use_fqdn for a few seconds and seeing all the new directories turn up in the log directory (I've lost count of the time that I have spent hours tearing my hair out because I've edited the wrong copy of the file :)
This issue is causing real problems for us because we have some crappy monitoring software on our Solaris boxes which generates syslog records with "SRS" in the host field regardless of what the host name is and we have about 10 of these machines so all the records end up in one file on the central server and we can't tell which they are coming from. I'd rather not chain host names which would seem to be the other solution.
We are running syslog-ng-2.0rc1 according to the source file.
Cheers, Russell
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Hi Harry, Harry Hoffman wrote:
Hey Russell,
This can usually be corrected by forcing the use of tcp as opposed to udp.
It doesn't work for all instances, I still haven't figured out why :-(
I think I have solved the immediate issue by changing HOST to HOST_FROM in the file name template. BTW first alpha on SELMS is about ready to fly. I'm running it in parallel with sl3 at the moment. If you sign up with rubyforge I'll add you to the list of developers for the project. The current version basically duplicates sl3 with a few added bells and whistles (you can create counters based or text from REs so you can count the number of log in attempts for all hosts...) I've written but not tested all the stuff for real time scanning -- that's next months exercise... BTW is that Phd finished yet? ;) If you wait much longer you will be able to have Alex's room when you visit -- he is dead set on leaving home next year :) Russell
On Fri, 2006-08-25 at 11:36 +1200, Russell Fulton wrote:
Here are the options that we are using:
options { sync (0); time_reopen (10); log_fifo_size (5000); long_hostnames (on); use_dns (yes); use_fqdn (yes); create_dirs (yes); };
And for the most part things are working as we would expect, but a few of our client hosts insist in putting stuff in the host field of the syslog records and this is turning up in the HOST variable rather that the domain name of the source system. Originally we had keep_hostname (yes) so this was the expected behaviour. I have now changed the config file and restarted syslog-ng but it is still writing to the records to a file with the hostname in the packets.
hmm.. with the keep_hostname(no) setting, syslog-ng should always reverse resolve the sending IP address, so it should have a proper hostname in it as long as your DNS/hosts file is ok.
I have verified that I have edited the right file by then turning off use_fqdn for a few seconds and seeing all the new directories turn up in the log directory (I've lost count of the time that I have spent hours tearing my hair out because I've edited the wrong copy of the file :)
This issue is causing real problems for us because we have some crappy monitoring software on our Solaris boxes which generates syslog records with "SRS" in the host field regardless of what the host name is and we have about 10 of these machines so all the records end up in one file on the central server and we can't tell which they are coming from. I'd rather not chain host names which would seem to be the other solution.
In this case syslog-ng will think that SRS is the hostname presented by the sender, if keep_hostname is set to yes, it will use that name, if it is set to no, it will replace it with the name that it resolved using DNS. An interesting add-on to this behaviour is to use bad_hostname() which is invently exactly for this purpose, if you use bad_hostname("^SRS$") it will cause syslog-ng to recognize that this name is bogus and take it part of the "program name". -- Bazsi
Balazs Scheidler wrote:
And for the most part things are working as we would expect, but a few of our client hosts insist in putting stuff in the host field of the syslog records and this is turning up in the HOST variable rather that the domain name of the source system. Originally we had keep_hostname (yes) so this was the expected behaviour. I have now changed the config file and restarted syslog-ng but it is still writing to the records to a file with the hostname in the packets.
hmm.. with the keep_hostname(no) setting, syslog-ng should always reverse resolve the sending IP address, so it should have a proper hostname in it as long as your DNS/hosts file is ok.
hmmm... indeed. changing the macro in the file name template from HOST to HOST_FROM resolved the issue for us. We are still using HOST in the record template and that is still showing SRS. If I get time I'll do some more experimenting in the lab to see if I can figure out exactly what is going on. In particular to make sure that it isn't something stupid that I am doing. Anyone know of a script that will put together syslog packets for test purposes? Cheers, Russell
participants (4)
-
Balazs Scheidler
-
Harry Hoffman
-
Russell Fulton
-
Steven Hajducko