Strange Directories created [I have read the listserv to no avail]
Hi All, My syslog-ng server reports various directories based off of kernel-messages instead of hostnames. I've read the listserv and tried the various options suggested by to no avail. Perhaps someone can help with a suggestion as to what is going wrong here? Info: syslog-ng-1.5.17-1 config file looks like options { use_fqdn(yes); keep_hostname(no); use_dns(yes); long_hostnames(on); sync(3); log_fifo_size(1000); }; ... destination hosts { file("/var/log/HOSTS/$HOST/$FACILITY/$YEAR/$MONTH/$DAY/$FACILITY$YEAR$MONTH$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); }; ... log { source(src); destination(hosts); }; Directories look like this: /var/log/HOSTS ?for ?set host.auckland.ac.nz Any help would be greatly appreciated. I can't figure out where to go next. Thanks, Harry -- Harry Hoffman ITSS Systems Team Leader University of Auckland hhoffman@auckland.ac.nz hhoffman@ip-solutions.net STANDARD DISCLAIMER: ********************************************** *This universe shipped by weight, not volume.* *Some expansion may have occured in shipping.* ********************************************* ------------------------------------------------- This mail sent through IpSolutions: http://www.ip-solutions.net/
On Sat, Mar 01, 2003 at 09:05:46PM +1300, Harry Hoffman wrote:
Hi All,
My syslog-ng server reports various directories based off of kernel-messages instead of hostnames. I've read the listserv and tried the various options suggested by to no avail.
Perhaps someone can help with a suggestion as to what is going wrong here?
Info: syslog-ng-1.5.17-1 config file looks like options { use_fqdn(yes); keep_hostname(no); use_dns(yes); long_hostnames(on); sync(3); log_fifo_size(1000); }; ... destination hosts { file("/var/log/HOSTS/$HOST/$FACILITY/$YEAR/$MONTH/$DAY/$FACILITY$YEAR$MONTH$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); }; ... log { source(src); destination(hosts); }; Directories look like this: /var/log/HOSTS ?for ?set host.auckland.ac.nz
Any help would be greatly appreciated. I can't figure out where to go next.
I was going to update the FAQ with my experiences on this the other night, but I only got around to adding something on truncated long lines. Anyways, I had the same problem for a couple years, even rewriting hostnames with the DNS name didn't stop those directories. It wasn't until I rolled out syslog-ng to all my hosts, and had them log over TCP did they stop appearing. It really shouldn't matter what transport you use, but for me it did, syslog-ng 1.5.x and about 75 linux and 75 solaris syslog clients. I have a theory but no proof. Tell me, do you have a lot of Solaris syslog clients? -- Nate Campi http://www.campin.net
On Sat, Mar 01, 2003 at 09:41:14AM -0800, Nate Campi wrote:
It really shouldn't matter what transport you use, but for me it did, syslog-ng 1.5.x and about 75 linux and 75 solaris syslog clients. I have a theory but no proof. Tell me, do you have a lot of Solaris syslog clients?
...I mean do you have a lot of Solaris syslog clients running their native syslogd? -- Nate Campi http://www.campin.net
Hi Nate, Hmmm, that quite interesting as all of these strange directories are created from Solaris hosts running sun's syslogd. Are you seeing the same thing? I don't see this behaviour on the Linux machines, but I do - very rarely - see it on the NT/2k/XP machines running NT- syslog. Cheers, Harry Quoting Nate Campi <nate@campin.net>: *> On Sat, Mar 01, 2003 at 09:41:14AM -0800, Nate Campi wrote: *> > *> > It really shouldn't matter what transport you use, but for me it did, *> > syslog-ng 1.5.x and about 75 linux and 75 solaris syslog clients. I have *> > a theory but no proof. Tell me, do you have a lot of Solaris syslog *> > clients? *> *> ...I mean do you have a lot of Solaris syslog clients running their *> native syslogd? *> -- *> Nate Campi http://www.campin.net *> _______________________________________________ *> syslog-ng maillist - syslog-ng@lists.balabit.hu *> https://lists.balabit.hu/mailman/listinfo/syslog-ng *> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html *> *> -- Harry Hoffman ITSS Systems Team Leader University of Auckland hhoffman@auckland.ac.nz hhoffman@ip-solutions.net STANDARD DISCLAIMER: ********************************************** *This universe shipped by weight, not volume.* *Some expansion may have occured in shipping.* ********************************************* ------------------------------------------------- This mail sent through IpSolutions: http://www.ip-solutions.net/
On Sun, Mar 02, 2003 at 07:20:29AM +1300, Harry Hoffman wrote:
Hmmm, that quite interesting as all of these strange directories are created from Solaris hosts running sun's syslogd. Are you seeing the same thing? I don't see this behaviour on the Linux machines, but I do - very rarely - see it on the NT/2k/XP machines running NT- syslog.
Solaris syslogd (and SVR4 in general I think) sends syslog messages across the network sans hostname, but everything else intact[1]. Under some unknown circumstances syslog-ng doesn't rewrite the hostname as it is supposed to, as evidenced by your directories with names like SCSI, etc. Since it only happens over UDP (for me anyways), that might be a clue for someone inspecting the code. I'd say roll out syslog-ng to all your solaris hosts. I'm certainly glad I did[2]. 1. Notes on syslog formats: http://cert.uni-stuttgart.de/archive/loganalysis/2002/01/msg00021.html 2. My notes on replacing solaris syslogd (2.6 - 2.9) with syslog-ng: Compile syslog-ng on a 2.6 box and push it out to all same and newer releases, binary compatibility handles it fine. 2.6-2.8 modify /usr/lib/newsyslog to 'kill -HUP `cat /var/run/syslog-ng.pid`' instead of (IIRC) /etc/syslog.pid, and for sol9 do the same to the lines in /etc/logadm.conf (s|/var/run/syslog.pid|/var/run/syslog-ng.pid|). Remove any loghost lines from /etc/syslog.conf in case some intruder is too stupid to notice you're not running syslogd. You could use lance spitzners tricks to hide your syslog-ng.conf if you're really paranoid, search the web if you're interested. Modify /etc/init.d/syslog (/etc/rc2.d/S74syslog) to start syslog-ng instead of syslogd, and you should also add a "reload" line that just does the 'kill -HUP `cat /var/run/syslog-ng.pid`' I think that's all of it, it's not really very complicated, you just needs some automated way of doing it on all hosts reliably. I use cfengine to ensure all my hosts are setup properly. -- Nate Campi http://www.campin.net
participants (2)
-
Harry Hoffman
-
Nate Campi