Trouble with switches and syslog-ng
Good day everyone, We use syslog-ng to store and organize the logs of our machines (~3900). For every host we have, syslog-ng creates a folder with the hostname or the ip address (if it couldn't determine the hostname) of the machine and then stores the logs. We also have 5 switches that can report logs with standard syslog capabilities (udp on port 514). The problem is that syslog-ng doesn't create the folder for these switches and doesn't store their logs. I made sure there was no network problems by using tcpdump - the packets correctly made it to the central syslog-ng host. Yes, of course, I made sure udp(); was in my source declaration. Does anyone know how I can make sure syslog-ng receives the logs? Thanks for your help. -- Jean-Michel Philippon-Nadeau Centre de Calcul Scientifique
On Wed, 2007-04-04 at 11:01 -0400, Jean-Michel Philippon-Nadeau wrote:
Good day everyone,
We use syslog-ng to store and organize the logs of our machines (~3900). For every host we have, syslog-ng creates a folder with the hostname or the ip address (if it couldn't determine the hostname) of the machine and then stores the logs.
We also have 5 switches that can report logs with standard syslog capabilities (udp on port 514). The problem is that syslog-ng doesn't create the folder for these switches and doesn't store their logs. I made sure there was no network problems by using tcpdump - the packets correctly made it to the central syslog-ng host. Yes, of course, I made sure udp(); was in my source declaration.
Does anyone know how I can make sure syslog-ng receives the logs?
the message sent by the switch might not be in a format that syslog-ng accepts and this way the message gets to the wrong destination. can you paste a single log message as received by the syslog-ng host? ie. a message you captured using tcpdump. btw: you also made sure that no packet filtering is involved, right? -- Bazsi
Balazs Scheidler wrote:
On Wed, 2007-04-04 at 11:01 -0400, Jean-Michel Philippon-Nadeau wrote:
Good day everyone,
We use syslog-ng to store and organize the logs of our machines (~3900). For every host we have, syslog-ng creates a folder with the hostname or the ip address (if it couldn't determine the hostname) of the machine and then stores the logs.
We also have 5 switches that can report logs with standard syslog capabilities (udp on port 514). The problem is that syslog-ng doesn't create the folder for these switches and doesn't store their logs. I made sure there was no network problems by using tcpdump - the packets correctly made it to the central syslog-ng host. Yes, of course, I made sure udp(); was in my source declaration.
Does anyone know how I can make sure syslog-ng receives the logs?
the message sent by the switch might not be in a format that syslog-ng accepts and this way the message gets to the wrong destination.
can you paste a single log message as received by the syslog-ng host? ie. a message you captured using tcpdump.
Here is a login failure from ssh to the switch received by tcpdump -A -vv to a specific interface, a specific hos (a switch) and on UDP port 514. 08:10:15.767285 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 17, length: 88) 192.168.175.2.syslog > 192.168.175.1.syslog: UDP, length 60 E..X..@.@.[@.............D..Login failed for user adminccs through ssh (192.168.10
btw: you also made sure that no packet filtering is involved, right?
Yes, everything was working fine before, we were using Splunk and changed to syslog-ng withtout even touching the firewall. Thanks for your help, it is very appreciated. Jean-Michel
On Thu, 2007-04-05 at 08:29 -0400, Jean-Michel Philippon-Nadeau wrote:
Balazs Scheidler wrote:
On Wed, 2007-04-04 at 11:01 -0400, Jean-Michel Philippon-Nadeau wrote:
Good day everyone,
We use syslog-ng to store and organize the logs of our machines (~3900). For every host we have, syslog-ng creates a folder with the hostname or the ip address (if it couldn't determine the hostname) of the machine and then stores the logs.
We also have 5 switches that can report logs with standard syslog capabilities (udp on port 514). The problem is that syslog-ng doesn't create the folder for these switches and doesn't store their logs. I made sure there was no network problems by using tcpdump - the packets correctly made it to the central syslog-ng host. Yes, of course, I made sure udp(); was in my source declaration.
Does anyone know how I can make sure syslog-ng receives the logs?
the message sent by the switch might not be in a format that syslog-ng accepts and this way the message gets to the wrong destination.
can you paste a single log message as received by the syslog-ng host? ie. a message you captured using tcpdump.
Here is a login failure from ssh to the switch received by tcpdump -A -vv to a specific interface, a specific hos (a switch) and on UDP port 514.
08:10:15.767285 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 17, length: 88) 192.168.175.2.syslog > 192.168.175.1.syslog: UDP, length 60
E..X..@.@.[@.............D..Login failed for user adminccs through ssh (192.168.10
hmm. this line does not include a log header (no pri, no header, no host, nothing) syslog-ng will probably think (but I'd have to check) that "Login" is the hostname, and depending on your keep_hostname() setting, it either replaces Login with the host that sent the UDP frame, or leaves Login alone, and thinks that it is a hostname (and thus stores messages in a subdirectory named "Login"). the solution is to 1) file a bug report to the vendor to fix their syslog message format 2) try to tune the bad_hostname() option to indicate that "Login" is a bad hostname. -- Bazsi
On Thu, 2007-04-05 at 18:23 +0200, Balazs Scheidler wrote:
On Thu, 2007-04-05 at 08:29 -0400, Jean-Michel Philippon-Nadeau wrote:
Balazs Scheidler wrote:
On Wed, 2007-04-04 at 11:01 -0400, Jean-Michel Philippon-Nadeau wrote:
Good day everyone,
We use syslog-ng to store and organize the logs of our machines (~3900). For every host we have, syslog-ng creates a folder with the hostname or the ip address (if it couldn't determine the hostname) of the machine and then stores the logs.
We also have 5 switches that can report logs with standard syslog capabilities (udp on port 514). The problem is that syslog-ng doesn't create the folder for these switches and doesn't store their logs. I made sure there was no network problems by using tcpdump - the packets correctly made it to the central syslog-ng host. Yes, of course, I made sure udp(); was in my source declaration.
Does anyone know how I can make sure syslog-ng receives the logs?
the message sent by the switch might not be in a format that syslog-ng accepts and this way the message gets to the wrong destination.
can you paste a single log message as received by the syslog-ng host? ie. a message you captured using tcpdump.
Here is a login failure from ssh to the switch received by tcpdump -A -vv to a specific interface, a specific hos (a switch) and on UDP port 514.
08:10:15.767285 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 17, length: 88) 192.168.175.2.syslog > 192.168.175.1.syslog: UDP, length 60
E..X..@.@.[@.............D..Login failed for user adminccs through ssh (192.168.10
hmm. this line does not include a log header (no pri, no header, no host, nothing)
syslog-ng will probably think (but I'd have to check) that "Login" is the hostname, and depending on your keep_hostname() setting, it either replaces Login with the host that sent the UDP frame, or leaves Login alone, and thinks that it is a hostname (and thus stores messages in a subdirectory named "Login").
the solution is to 1) file a bug report to the vendor to fix their syslog message format 2) try to tune the bad_hostname() option to indicate that "Login" is a bad hostname.
Oh, and another, better solution occurred to me. Create a new source (either separate IP or different port) and disable log message parsing, like this: source s_unparsed { udp(flags(no-parse)); }; This won't even try to parse an incoming line as a syslog message, it simply stuffs the line as the MSG part, and prepends proper syslog headers. -- Bazsi
Balazs Scheidler wrote:
On Thu, 2007-04-05 at 18:23 +0200, Balazs Scheidler wrote:
On Thu, 2007-04-05 at 08:29 -0400, Jean-Michel Philippon-Nadeau wrote:
Balazs Scheidler wrote:
On Wed, 2007-04-04 at 11:01 -0400, Jean-Michel Philippon-Nadeau wrote:
Good day everyone,
We use syslog-ng to store and organize the logs of our machines (~3900). For every host we have, syslog-ng creates a folder with the hostname or the ip address (if it couldn't determine the hostname) of the machine and then stores the logs.
We also have 5 switches that can report logs with standard syslog capabilities (udp on port 514). The problem is that syslog-ng doesn't create the folder for these switches and doesn't store their logs. I made sure there was no network problems by using tcpdump - the packets correctly made it to the central syslog-ng host. Yes, of course, I made sure udp(); was in my source declaration.
Does anyone know how I can make sure syslog-ng receives the logs? the message sent by the switch might not be in a format that syslog-ng accepts and this way the message gets to the wrong destination.
can you paste a single log message as received by the syslog-ng host? ie. a message you captured using tcpdump.
Here is a login failure from ssh to the switch received by tcpdump -A -vv to a specific interface, a specific hos (a switch) and on UDP port 514.
08:10:15.767285 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 17, length: 88) 192.168.175.2.syslog > 192.168.175.1.syslog: UDP, length 60
E..X..@.@.[@.............D..Login failed for user adminccs through ssh (192.168.10
hmm. this line does not include a log header (no pri, no header, no host, nothing)
syslog-ng will probably think (but I'd have to check) that "Login" is the hostname, and depending on your keep_hostname() setting, it either replaces Login with the host that sent the UDP frame, or leaves Login alone, and thinks that it is a hostname (and thus stores messages in a subdirectory named "Login").
the solution is to 1) file a bug report to the vendor to fix their syslog message format 2) try to tune the bad_hostname() option to indicate that "Login" is a bad hostname.
Oh, and another, better solution occurred to me. Create a new source (either separate IP or different port) and disable log message parsing, like this:
source s_unparsed { udp(flags(no-parse)); };
This won't even try to parse an incoming line as a syslog message, it simply stuffs the line as the MSG part, and prepends proper syslog headers.
Thanks a lot for your help Balazs. It works perfectly now. I am going to post the solution in case someone else runs into the same problem (for your archives). For Extreme Networks switches running XOS, you have to configure the log format for syslog using the command "configure log target syslog <arguments>". It is explained in the pages 643 to 646 in the DocumentationEXOSCommandRef11_6.pdf. After you set your log format to something appropriate for your needs, just configure syslog-ng in order to process your logs the way you want it. Thanks again for your help!
participants (2)
-
Balazs Scheidler
-
Jean-Michel Philippon-Nadeau