different message shows up on loghost than on client
I have syslog-ng loghosts in out datacenters that receive messages via UDP from mostly solaris syslogd. The loghosts in the datacenters then relay the messages over TCP/stunnel to a central loghost for archiving/analysis/input into database. The problem is that a message like this on a solaris 2.6 box: Nov 7 04:05:45 ballys ctld 5.0.6[22164]: [0] Error: unable to read header - Status: NoMoreData. ...will arrive (via UDP) on my linux loghost (syslog-ng 1.4.12) like this: Nov 7 04:05:45 ballys.hotwired.com 5.0.6[22164]: [0] Error: unable to read header - Status: NoMoreData. I have no idea why it would cut out the program name (ctld) like that. Is this a known issue? This is really messing up my log tables, and I'd like to keep all the data straight in the database. Here's my options from the linux loghost: options { use_fqdn(yes); long_hostnames(off); keep_hostname(no); use_dns(yes); sync(0); }; Plus, when did it become an option to buffer messages with sync? Is is only the in devel branch? I'd like to set sync(5) or something to take it easy on the disk. TIA, -- Nate Campi http://www.campin.net GnuPG key: 0xC17AEF79 Key fingerprint = BF12 722F 8799 E614 33CC FAB7 5A90 C464 C17A EF79 The only way to convince some people that HTML is about content, not style is with a 2x4 <PLANK>.
On Wed, Nov 07, 2001 at 05:49:00PM -0800, Nate Campi wrote:
The problem is that a message like this on a solaris 2.6 box:
Nov 7 04:05:45 ballys ctld 5.0.6[22164]: [0] Error: unable to read header - Status: NoMoreData.
...will arrive (via UDP) on my linux loghost (syslog-ng 1.4.12) like this:
Nov 7 04:05:45 ballys.hotwired.com 5.0.6[22164]: [0] Error: unable to read header - Status: NoMoreData.
Can anyone tell me why the program info is lost when solaris 2.6 sends my message over UDP to syslog-ng 1.4.12? -- Nate Campi http://www.campin.net GnuPG key: 0xC17AEF79 Key fingerprint = BF12 722F 8799 E614 33CC FAB7 5A90 C464 C17A EF79 The doctrine of human equality reposes on this: that there is no man really clever who has not found that he is stupid.
On Thu, Nov 08, 2001 at 11:35:38PM -0800, Nate Campi wrote:
On Wed, Nov 07, 2001 at 05:49:00PM -0800, Nate Campi wrote:
The problem is that a message like this on a solaris 2.6 box:
Nov 7 04:05:45 ballys ctld 5.0.6[22164]: [0] Error: unable to read header - Status: NoMoreData.
...will arrive (via UDP) on my linux loghost (syslog-ng 1.4.12) like this:
Nov 7 04:05:45 ballys.hotwired.com 5.0.6[22164]: [0] Error: unable to read header - Status: NoMoreData.
Can anyone tell me why the program info is lost when solaris 2.6 sends my message over UDP to syslog-ng 1.4.12?
probably because the strange format of the message. as I read the code, anything after the hostname until '[' or ':' is taken part of the program which sent the message, at least this is true when every part of the message is received. try to snoop the network (or truss syslog-ng) to find out how the message was sent "exactly". I suspect that there's no timestamp in the message and no hostname either, so syslog-ng parses ctld as the hostname and 5.0.6 and programname, and later it replaces ctld to the hostname the given message was received from. (this can be changed with keep_hostname(yes or no)) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Fri, Nov 09, 2001 at 09:45:34AM +0100, Balazs Scheidler wrote:
On Thu, Nov 08, 2001 at 11:35:38PM -0800, Nate Campi wrote:
On Wed, Nov 07, 2001 at 05:49:00PM -0800, Nate Campi wrote:
The problem is that a message like this on a solaris 2.6 box:
Nov 7 04:05:45 ballys ctld 5.0.6[22164]: [0] Error: unable to read header - Status: NoMoreData.
...will arrive (via UDP) on my linux loghost (syslog-ng 1.4.12) like this:
Nov 7 04:05:45 ballys.hotwired.com 5.0.6[22164]: [0] Error: unable to read header - Status: NoMoreData.
Can anyone tell me why the program info is lost when solaris 2.6 sends my message over UDP to syslog-ng 1.4.12?
probably because the strange format of the message. as I read the code, anything after the hostname until '[' or ':' is taken part of the program which sent the message, at least this is true when every part of the message is received.
try to snoop the network (or truss syslog-ng) to find out how the message was sent "exactly".
I suspect that there's no timestamp in the message and no hostname either, so syslog-ng parses ctld as the hostname and 5.0.6 and programname, and later it replaces ctld to the hostname the given message was received from. (this can be changed with keep_hostname(yes or no))
So if I set "keep_hostname(yes)" I'll just get: Nov 7 04:05:45 ctld 5.0.6[22164]: [0] Error: unable to read header - Status: NoMoreData. ...right? Sounds like this needs a bug report with the software vendor, assuming I can verify that their syslog messages are wrong. -- Nate Campi http://www.campin.net GnuPG key: 0xC17AEF79 Key fingerprint = BF12 722F 8799 E614 33CC FAB7 5A90 C464 C17A EF79 A mathematician is an engine for converting coffee into theorems.
participants (2)
-
Balazs Scheidler
-
Nate Campi