Hello, We've configured a centralized logs server (Solaris 10) in order to collect and manage all log messages coming from +/- 100 servers (Solaris, Linux,...). For an unknown reason, the logs coming from one of our server (Debian) are coming in the following format on the log server : Sep 7 10:08:37 server1 PAM_unix[6142]: authentication failure; (uid=0) -> delphine for ssh service As you can see, we only receive the hostname (server1) but not the FQDN of this server (server1.ourdomain.be). For all the other servers, we have the FQDN in the logs. Here is an example with server2.ourdomain.be (Debian) : Sep 7 10:11:01 server2.ourdomain.be/server2.ourdomain.be PAM_unix[27542]: authentication failure; (uid=0) -> delphine for ssh service The only difference between server1 and the other ones is that it uses syslog-ng instead of syslog in order to send its logs. Here are the options used in the configuration files. 1° On the log server options { create_dirs(yes); dir_perm(0705); dir_owner(root); perm(0600); owner(root); sync(0); check_hostname(no); use_fqdn(yes); use_dns(yes); dns_cache(yes); dns_cache_expire(604800); dns_cache_size(400); stats(60); keep_hostname(yes); chain_hostnames(yes); }; 2° On server1 options { use_fqdn(yes); use_dns(yes); keep_hostname(yes); chain_hostnames(no); long_hostnames(no); sync(0); }; 3° On server2 we are using syslog instead syslog-ng Any idea ? Thanks. _________________________________________________________________ Grand passioné ? Rassemblez tout ce qui vous intéresse en un seul endroit ! http://get.live.com/live/features
You can tell syslog-ng to use the either the reverse domain name or the name included in the syslog record (check the docs for what the macros are). You almost certainly are using the name included in the syslog record. What does `hostname` return on the debian box? My guess is that the hostname is set to 'server1' without the ourdomain.be the others are all set to a fqdn R Delphine D wrote:
Hello,
We've configured a centralized logs server (Solaris 10) in order to collect and manage all log messages coming from +/- 100 servers (Solaris, Linux,...).
For an unknown reason, the logs coming from one of our server (Debian) are coming in the following format on the log server :
Sep 7 10:08:37 server1 PAM_unix[6142]: authentication failure; (uid=0) -> delphine for ssh service
As you can see, we only receive the hostname (server1) but not the FQDN of this server (server1.ourdomain.be).
For all the other servers, we have the FQDN in the logs. Here is an example with server2.ourdomain.be (Debian) :
Sep 7 10:11:01 server2.ourdomain.be/server2.ourdomain.be PAM_unix[27542]: authentication failure; (uid=0) -> delphine for ssh service
The only difference between server1 and the other ones is that it uses syslog-ng instead of syslog in order to send its logs.
Here are the options used in the configuration files.
1° On the log server
options { create_dirs(yes); dir_perm(0705); dir_owner(root); perm(0600); owner(root); sync(0); check_hostname(no); use_fqdn(yes); use_dns(yes); dns_cache(yes); dns_cache_expire(604800); dns_cache_size(400); stats(60); keep_hostname(yes); chain_hostnames(yes); };
2° On server1
options { use_fqdn(yes); use_dns(yes); keep_hostname(yes); chain_hostnames(no); long_hostnames(no); sync(0); };
3° On server2 we are using syslog instead syslog-ng
Any idea ?
Thanks.
_________________________________________________________________ Grand passioné ? Rassemblez tout ce qui vous intéresse en un seul endroit ! http://get.live.com/live/features
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
You can tell syslog-ng to use the either the reverse domain name or the name included in the syslog record (check the docs for what the macros are). You almost certainly are using the name included in the syslog record.
Could you please explain a little bit what these macros are ? Is it something I need to modify/configure in the syslog-ng.conf file on server1 ?
What does `hostname` return on the debian box? My guess is that the hostname is set to 'server1' without the ourdomain.be
Yes, indeed, hostname returns 'server1'.
the others are all set to a fqdn
The others also return the hostname and not the FQDN (Ex : 'server2' and not 'server2.ourdomain.be') but they are using syslog instead of syslog-ng... That's the only difference... Thanks, Delphine
Delphine D wrote:
Hello,
We've configured a centralized logs server (Solaris 10) in order to collect and manage all log messages coming from +/- 100 servers (Solaris, Linux,...).
For an unknown reason, the logs coming from one of our server (Debian) are coming in the following format on the log server :
Sep 7 10:08:37 server1 PAM_unix[6142]: authentication failure; (uid=0) -> delphine for ssh service
As you can see, we only receive the hostname (server1) but not the FQDN of this server (server1.ourdomain.be).
For all the other servers, we have the FQDN in the logs. Here is an example with server2.ourdomain.be (Debian) :
Sep 7 10:11:01 server2.ourdomain.be/server2.ourdomain.be PAM_unix[27542]: authentication failure; (uid=0) -> delphine for ssh service
The only difference between server1 and the other ones is that it uses syslog-ng instead of syslog in order to send its logs.
Here are the options used in the configuration files.
1° On the log server
options { create_dirs(yes); dir_perm(0705); dir_owner(root); perm(0600); owner(root); sync(0); check_hostname(no); use_fqdn(yes); use_dns(yes); dns_cache(yes); dns_cache_expire(604800); dns_cache_size(400); stats(60); keep_hostname(yes); chain_hostnames(yes); };
2° On server1
options { use_fqdn(yes); use_dns(yes); keep_hostname(yes); chain_hostnames(no); long_hostnames(no); sync(0); };
3° On server2 we are using syslog instead syslog-ng
Any idea ?
Thanks.
_________________________________________________________________ Grand passioné ? Rassemblez tout ce qui vous intéresse en un seul endroit ! http://get.live.com/live/features
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_________________________________________________________________ Saviez-vous que Windows Live Messenger est disponible dès maintenant sur votre GSM ? http://get.live.com/messenger/mobile
On Fri, Sep 07, 2007 at 10:53:54AM +0200, Delphine D wrote:
The others also return the hostname and not the FQDN (Ex : 'server2' and not 'server2.ourdomain.be') but they are using syslog instead of syslog-ng... That's the only difference...
Then it's because this host sends the hostname in the syslog message (syslog-ng always has a full and complete syslog message on the wire), but the boxes using syslogd don't actually send a hostname. A message on your central syslog-ng server from a Linux box running syslogd will be written to disk something like: Sep 7 07:16:20 hostname in.qpopper[7736]: connect from 12.12.12.12 ...but on the wire it looks like this: <13>in.qpopper[7736]: connect from 12.12.12.12 ...and syslog-ng has to put in the rest of the info. This means that syslog-ng on the central box is putting in the FQDN for you. syslog-ng on the client is putting in a full message, including the short hostname, and the central syslog-ng is keeping it. See http://www.campin.net/syslog-ng/syslog.html#missing_parts for more on this. See http://www.campin.net/syslog-ng/faq.html#hostname to figure out the hostname options you want on your central syslog-ng server. Probably "keep_hostname(no)", plus "use_fqdn(yes);" to get the FQDN. HTH, -- Nate Like medieval peasants, computer manufacturers and millions of users are locked in a seemingly eternal lease with their evil landlord, who comes around every two years to collect billions of dollars of taxes in return for mediocre services. --Mark Harris, Electronics Times
participants (3)
-
Delphine D
-
Nate Campi
-
Russell Fulton