Syslog Chaining doesn't work as expected
Hello folks, I've got a problem with chaining syslog messages. Basically I try to forward syslog messages via a host to our loggingserver, but the loggingserver doesn't get that's it's from an other host and not the "forwarder". Here is my setup: LOGGINSERVER (valid IP adress) | | GATESERVER (valid IP adress + internal 192.x.x.x adress on second nic) | | SERVER (internet IP) Gateserver and Server both shall log to LOGGINGSERVER. This is my logserver setup: options { long_hostnames(yes); sync(0); time_reap(1); use_time_recvd(yes); use_dns(yes); use_fqdn(yes); create_dirs(yes); log_fifo_size(10000); chain_hostnames(no); }; source frontier { tcp(ip(xx.xxx.x.xxx) port(540) max-connections (20)); } destination blackhole { file("/var/log/frontier/$YEAR$MONTH/$HOST"); }; log { source(frontier); destination(blackhole); } as you see it logs everything from a connecting host to an own file. If I forward the logs from SERVER via GATESERVER, the loggingserver writes all logfiles of SERVER to the logfile of GATESERVER since it sees it coming from the IP. That's correct and that's how it supposed to work (documentation). now if I switch the option chain_hostnames to yes it does what I want, it writes an own logfile for SERVER. However, it stops writing fqdn's and start writing the logs with the canonical name of the machines. An example: Before I turn chain_hostnames to yes it logs file from the machine abc.de.fg to a file called "abc.de.fg" - If I turn the option on it starts logging to the file "abc". Since I have many machines with the same name but with different fqdn's I can't use that. Since I've turned on logn_hostnames and use_fqdn I'm a bit curious what to do. Is this a bug or did I miss an option in the docs? All hosts are in /etc/hosts on the Loggingserver and all three machines use current stable release 1.4.11. Thanks in advance for the help -- Regards, Wiktor Wodecki, Unix Administration | Wapme-Systems AG Tel.: +49-211-748450 | Muensterstrasse 248 Fax: +49-211-74845176 | 40470 Duesseldorf E-Mail: wodecki@wapme-systems.de | http://www.wapme-systems.de 1024/E22253B9 084C 7950 4D65 0E92 46D1 48AF F3F7 3201 E222 53B9
Wiktor Wodecki on Fri, Mar 23, 2001 at 12:04:38PM +0100: Wiktor,
I've got a problem with chaining syslog messages. Basically I try to forward syslog messages via a host to our loggingserver, but the loggingserver doesn't get that's it's from an other host and not the
depending on how your systems are configured, you might get good results with turning keep_hostname on if that's an option.
same name but with different fqdn's I can't use that. Since I've turned on logn_hostnames and use_fqdn I'm a bit curious what to do. Is this a bug or did I miss an option in the docs? All hosts are in /etc/hosts on the Loggingserver and all three machines use current stable release 1.4.11.
- Is your resolver configured properly? (nsswitch.conf) or - Do you use FQDNs in /etc/hosts? - What syslog-ng options are you using on the GATESERVER? Cheers, -- Gregor Binder <gregor.binder@sysfive.com> http://sysfive.com/ sysfive.com GmbH UNIX. Networking. Security. Applications. PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55
Hey Gregor, Gregor Binder wrote:
I've got a problem with chaining syslog messages. Basically I try to forward syslog messages via a host to our loggingserver, but the loggingserver doesn't get that's it's from an other host and not the depending on how your systems are configured, you might get good results with turning keep_hostname on if that's an option.
nope, that didn't do it, it still writes logs with canonical name and not the fqdn.
same name but with different fqdn's I can't use that. Since I've turned on logn_hostnames and use_fqdn I'm a bit curious what to do. Is this a bug or did I miss an option in the docs? All hosts are in /etc/hosts on the Loggingserver and all three machines use current stable release 1.4.11.
- Is your resolver configured properly? (nsswitch.conf) or
yes
- Do you use FQDNs in /etc/hosts?
yes, on LOGGINGSERVER, not on GATESERVER
- What syslog-ng options are you using on the GATESERVER?
options { long_hostnames(yes); sync(2); use_dns(yes); use_fqdn(yes); create_dirs(yes); log_fifo_size(1000); time_reopen(2); chain_hostnames(yes); keep_hostname(yes); }; I jsut played around with setting keep_hostname on and off on various places and combinations with other settings (I didn't knew that setting before, it's only mentioned in an example setup in the docs, so I didn't find it before) but there's still the same result. -- Regards, Wiktor Wodecki, Unix Administration | Wapme-Systems AG Tel.: +49-211-748450 | Muensterstrasse 248 Fax: +49-211-74845176 | 40470 Duesseldorf E-Mail: wodecki@wapme-systems.de | http://www.wapme-systems.de 1024/E22253B9 084C 7950 4D65 0E92 46D1 48AF F3F7 3201 E222 53B9
Wiktor Wodecki on Fri, Mar 23, 2001 at 01:05:10PM +0100: Hi Wiktor,
depending on how your systems are configured, you might get good results with turning keep_hostname on if that's an option.
nope, that didn't do it, it still writes logs with canonical name and not the fqdn.
well, I could've said that before, it would require your systems know themselves by their FQDN (and use this name for their log messages).
- Do you use FQDNs in /etc/hosts?
yes, on LOGGINGSERVER, not on GATESERVER
If I understand your setup correctly, DNS config on GATESERVER (or how names get resolved and all that) matters, so you do want to make sure the log clients that go through GATESERVER can be properly qualified.
options { long_hostnames(yes); sync(2); use_dns(yes); use_fqdn(yes); create_dirs(yes); log_fifo_size(1000); time_reopen(2); chain_hostnames(yes); keep_hostname(yes); };
keep_hostname(yes) does not make sense with use_dns(yes) and use_fqdn(yes) since it means "keep the hostname that the log message contains". IIRC long_hostnames is just an alias for use_fqdn. I think you want the following options (besides those not related to DNS/hostnames): LOGGINGSERVER: keep_hostname(yes); chain_hostnames(no); use_fqdn(yes); GATESERVER: use_dns(yes); use_fqdn(yes); And make sure GATESERVER can determine FQDNs. If you have clients logging directly to LOGGINGSERVER, you might want to check if you can specify those options in the source and not global, since otherwise you would get inconsistent naming. I am not sure if you can do that though. Greetings, -- Gregor Binder <gregor.binder@sysfive.com> http://sysfive.com/ sysfive.com GmbH UNIX. Networking. Security. Applications. PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55
participants (2)
-
Gregor Binder
-
Wiktor Wodecki