I still cant get it to work. this is the problem output again....it doesnt identify remote source of log.... Dec 27 18:21:20 src@suselog syslog-ng[19442]: syslog-ng version 1.6.2 going down Dec 27 18:21:20 src@suselog syslog-ng[19532]: syslog-ng version 1.6.2 starting Dec 27 18:21:25 src@suselog kernel: klogd 1.4.1, log source = /proc/kmsg started. Dec 27 18:21:36 suselog/suselog su(pam_unix)[25213]: authentication failure; logname=syss555 uid=500 euid=0 tty=pts/10 ruser=syss555 rhost= user=root --below are some config settings-- suselog:/etc/sysconfig # more syslog I restart syslog via # The name of the syslog daemon used as # syslog service: "syslogd", "syslog-ng" # SYSLOG_DAEMON="syslog-ng" suselog:/etc/syslog-ng # more syslog-ng.conf note- I do edit this file and do not use suseconfig...... # /etc/syslog-ng/syslog-ng.conf # # Automatically generated by SuSEconfig on Thu Dec 15 19:31:03 EST 2005. # # PLEASE DO NOT EDIT THIS FILE! # # you can modify /etc/syslog-ng/syslog-ng.conf.in instead # # # File format description can be found in syslog-ng.conf(5). # options { keep_hostname(no); chain_hostnames(yes); use_dns(no); sync(0); }; # # 'src' is our main source definition. you can add # more sources driver definitions to it, or define # your own sources, i.e.: # #source my_src { .... }; source lan_tcp { tcp(ip(127.0.0.1) port(1999) max-connections(10)); }; source lan_udp { udp(); }; source src { # # include internal syslog-ng messages # note: the internal() soure is required! # internal(); # # the following line will be replaced by the # socket list generated by SuSEconfig using # variables from /etc/sysconfig/syslog: # unix-dgram("/dev/log"); unix-dgram("/var/lib/ntp/dev/log"); # # uncomment to process log messages from network: # #udp(ip("0.0.0.0") port(514)); }; Is there a way to dump the current log settings? or obtain them on startup of Syslog-NG? Balazs Scheidler <bazsi@balabit.hu > To Syslog-ng users' and developers' Sent by: mailing list syslog-ng-bounces <syslog-ng@lists.balabit.hu> @lists.balabit.hu cc Subject 12/27/2005 11:20 Re: [syslog-ng] rhost field AM Please respond to Syslog-ng users' and developers' mailing list <syslog-ng@lists. balabit.hu> keep_hostname(no) use_dns(no) On Tue, 2005-12-27 at 09:56 -0500, ken.schweiker@faa.gov wrote:

I am using syslog-ng for the first time. The initial setup is complete

and

appears to be working ok. However in my test environment, I am logging from a redhat desktop using syslog to a suse syslog-ng server. The output, after I deliberately input an incorrect password on my workstation doing a 'su', gets reported to the syslog-ng server as .......

Dec 23 17:50:12 suselog/suselog su(pam_unix)[13205]: authentication failure; logname=syss555 uid=500 euid=0 tty=pts/4 ruser=syss555 rhost= user=root

How do I get it to display in the log the host(IP) the message came from?

-- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

On Wed, 2005-12-28 at 10:28 -0500, ken.schweiker@faa.gov wrote:

I hope someone can answer a few basic questions to help with my previously described problem. Since I have not used syslog before....

Is the rhost field where I should see some value? specifically the originating ip address of the msg.? my field is blank. Does anyone else use the version 1.6.2. and not have this problem?

Uh huh, you mean the rhost field _inside_ the message part? Dec 23 17:50:12 suselog/suselog su(pam_unix)[13205]: authentication failure; logname=syss555 uid=500 euid=0 tty=pts/4 ruser=syss555 rhost= user=root In this case this has nothing to do with syslog-ng as it never touches the message itself (e.g. anything after the hostname in the header suselog/suselog in the case above) -- Bazsi

On Wed, Dec 28, 2005 at 01:45:26PM -0500, ken.schweiker@faa.gov wrote:

options { keep_hostname(no); use_dns(no); sync(0); };\

Turn off long hostnames and you should start seeing the remote IP in the logs: long_hostnames(off); See this URL for hostname options: http://www.campin.net/syslog-ng/faq.html#hostname Keep the use_dns(no) since you want IP's. -- Nate "A computer will do what you tell it to do, but that may be much different from what you had in mind." - JOSEPH WEIZENBAUM, quoted in Time

On Wed, Dec 28, 2005 at 03:45:30PM -0500, ken.schweiker@faa.gov wrote:

Thanks. Meanwhile I finally read the bottom of these responses and went to www.campin.net/syslog-ng/faq.html. It was very helpful!

It explained the header problem I think ..... Many syslog programs, when configured to relay messages on to another syslog program on another host, will leave out certain parts of the syslog message - complicating proper identification of certain fields. ....and...... The sysklogd program used as a syslog server for many Linux distributions also leaves out fields. It leaves out the time/date information and the hostname information (the entire "header").

So it sounds like I'll have to install syslog-ng on all the downstream servers also. Thanks.

I'm glad you read that, but it might not really be clear enough on how syslog-ng behaves in this situation. What happens is that syslog-ng puts in a hostname based on the remote IP or DNS name, and also uses the chained hostname format if configured to do so. Don't bother putting syslog-ng everywhere just for that reason. Let me know if this clears things up. -- Nate "The more I C, the less I see."

Hi I have a very simple question: Is the host statement in filter case sensitive? TIA Paolo __________________________________ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/