Logs from Nauticus
Hello, Is there someone here having some knowledge of how to send logs from Nauticus (Sun Secure Application Switch Manager N2120) to syslog-ng ? I receive the logs on the centralized logs server but without any information about the source of the logs (no IP, no hostname). In other words : Sep 7 14:03:29 2007 v0 AAA [0/100e8] [ERROR]: User authentication failure, user: 'test', host: 1.2.3.4, application: httpLogin, method: TACACS(serviceNotAvailable) serviceNotAvailable instead of : Sep 7 14:03:29 2007/nauticus.ourdomain.be v0 AAA [0/100e8] [ERROR]: User authentication failure, user: 'test', host: 1.2.3.4, application: httpLogin, method: TACACS(serviceNotAvailable) serviceNotAvailable Is there a paramater to change in the N2120 ? Thank you very much. _________________________________________________________________ A la recherche d'un ami d'enfance ? Peut-être est-il dans la liste d'amis de vos amis ! http://spaces.live.com/default.aspx?page=Ed01&ss=True
On Fri, Sep 07, 2007 at 03:18:27PM +0200, Delphine D wrote:
I receive the logs on the centralized logs server but without any information about the source of the logs (no IP, no hostname).
In other words :
Sep 7 14:03:29 2007 v0 AAA [0/100e8] [ERROR]: User authentication failure, user: 'test', host: 1.2.3.4, application: httpLogin, method: TACACS(serviceNotAvailable) serviceNotAvailable
instead of :
Sep 7 14:03:29 2007/nauticus.ourdomain.be v0 AAA [0/100e8] [ERROR]: User authentication failure, user: 'test', host: 1.2.3.4, application: httpLogin, method: TACACS(serviceNotAvailable) serviceNotAvailable
Is there a paramater to change in the N2120 ?
Those aren't standard syslog messages, and it's possible that paired with how Solaris sends a header but not a hostname, syslog-ng could be getting confused about this. You should send your "options" part of your syslog-ng.conf, and read http://www.campin.net/syslog-ng/syslog.html to see if it helps you understand what the messages look like on the wire and how syslog-ng makes it's best guesses about what the fields mean. Something similar is the reason for the "bad_hostname" option, but that's for when program names look like hostnames. You have a header section that looks like a hostname, but I'm not sure if you have a keep_hostname(no) that's stripping out your hostname from that weird header section that looks like syslog-ng's "chain_hostnames". So send your options to the list, try setting keep_hostname(yes), or see if you can force a normal syslog format on the client side. What they're sending is wrong in a new way that isn't worked around in syslog-ng (AFAIK). -- Nate "Reader, suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." - Samuel Clemens
On Fri, Sep 07, 2007 at 03:18:27PM +0200, Delphine D wrote:
I receive the logs on the centralized logs server but without any information about the source of the logs (no IP, no hostname).
In other words :
Sep 7 14:03:29 2007 v0 AAA [0/100e8] [ERROR]: User authentication
failure,
user: 'test', host: 1.2.3.4, application: httpLogin, method: TACACS(serviceNotAvailable) serviceNotAvailable
instead of :
Sep 7 14:03:29 2007/nauticus.ourdomain.be v0 AAA [0/100e8] [ERROR]: User authentication failure, user: 'test', host: 1.2.3.4, application: httpLogin, method: TACACS(serviceNotAvailable) serviceNotAvailable
Is there a paramater to change in the N2120 ?
Those aren't standard syslog messages, and it's possible that paired with how Solaris sends a header but not a hostname, syslog-ng could be getting confused about this. You should send your "options" part of your syslog-ng.conf, and read http://www.campin.net/syslog-ng/syslog.html to see if it helps you understand what the messages look like on the wire and how syslog-ng makes it's best guesses about what the fields mean.
Something similar is the reason for the "bad_hostname" option, but that's for when program names look like hostnames. You have a header section that looks like a hostname, but I'm not sure if you have a keep_hostname(no) that's stripping out your hostname from that weird header section that looks like syslog-ng's "chain_hostnames".
So send your options to the list, try setting keep_hostname(yes), or see if you can force a normal syslog format on the client side. What they're sending is wrong in a new way that isn't worked around in syslog-ng (AFAIK).
Thank you Nate for your help. Here is the syslog-ng.conf from my logs server : options { create_dirs(yes); dir_perm(0705); dir_owner(root); perm(0600); owner(root); sync(0); check_hostname(no); use_fqdn(yes); use_dns(yes); dns_cache(yes); dns_cache_expire(604800); dns_cache_size(400); stats(60); keep_hostname(yes); chain_hostnames(yes); }; I'm not sure that we've the ability to change something in the Nauticus. There is no Syslog or Syslog-ng running on it. There is no configuration files like in "normal" servers (Linux, Solaris,...). There is only a parameters section in the GUI, where you have to configure : - SysLog Host --> IP of the logs server - Syslog Port --> 514 - Filter --> defaultSyslog (by default) - Facility --> local0, local1,.... or local7 But I don't find anything about hostname. The strangest thing is that it was working fine a few weeks ago but it has suddenly stopped working :-( Thanks. _________________________________________________________________ Saviez-vous que Windows Live Messenger est disponible dès maintenant sur votre GSM ? http://get.live.com/messenger/mobile
On Fri, Sep 07, 2007 at 04:47:31PM +0200, Delphine D wrote:
Thank you Nate for your help.
Here is the syslog-ng.conf from my logs server :
options { create_dirs(yes);
<snip>
chain_hostnames(yes); };
Try chain_hostnames(no). No matter what, you're dealing with a bad format that's close enough to a good one to make syslog-ng guess incorrectly. This isn't the fault of syslog-ng, just a result of the imperfect world we live in.
I'm not sure that we've the ability to change something in the Nauticus. There is no Syslog or Syslog-ng running on it. There is no configuration files like in "normal" servers (Linux, Solaris,...).
There is only a parameters section in the GUI, where you have to configure :
- SysLog Host --> IP of the logs server - Syslog Port --> 514 - Filter --> defaultSyslog (by default) - Facility --> local0, local1,.... or local7
Any other options? Any other Filter options, specifically? I've actually run perl-based syslog proxy code I wrote to work around really crappy syslog formats. The bad_hostname option came as a result of me bitching about the bad formats loudly enough and long enough. :) ISTR that syslog-ng 2.0 now has some rewriting ability. I haven't been paying much attention to that branch, you should probably read up on it. Possible that it's only in the dev branch - like I said I haven't been paying much attention.
But I don't find anything about hostname.
The strangest thing is that it was working fine a few weeks ago but it has suddenly stopped working :-(
Somebody changed either the syslog-ng server or your client. Maybe not even configs, but version upgrade on the client perhaps. -- Nate An Emacs reference mug is what I want. It would hold ten gallons of coffee. -- Steve VanDevender And, no doubt, have a lid that could only be removed with an obscure finger combination requiring both hands. (Ctrl-Alt-Meta-X gimme-the-damn-coffee) -- William Beegle
Great, it's working fine when using the option bad_hostname :-) Thank you very much for your help ! Delphine
From: Nate Campi <nate@campin.net> Reply-To: Syslog-ng users' and developers' mailing list<syslog-ng@lists.balabit.hu> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Logs from Nauticus Date: Fri, 7 Sep 2007 08:59:05 -0700
On Fri, Sep 07, 2007 at 04:47:31PM +0200, Delphine D wrote:
Thank you Nate for your help.
Here is the syslog-ng.conf from my logs server :
options { create_dirs(yes);
<snip>
chain_hostnames(yes); };
Try chain_hostnames(no).
No matter what, you're dealing with a bad format that's close enough to a good one to make syslog-ng guess incorrectly. This isn't the fault of syslog-ng, just a result of the imperfect world we live in.
I'm not sure that we've the ability to change something in the Nauticus. There is no Syslog or Syslog-ng running on it. There is no configuration files like in "normal" servers (Linux, Solaris,...).
There is only a parameters section in the GUI, where you have to configure :
- SysLog Host --> IP of the logs server - Syslog Port --> 514 - Filter --> defaultSyslog (by default) - Facility --> local0, local1,.... or local7
Any other options? Any other Filter options, specifically?
I've actually run perl-based syslog proxy code I wrote to work around really crappy syslog formats. The bad_hostname option came as a result of me bitching about the bad formats loudly enough and long enough. :)
ISTR that syslog-ng 2.0 now has some rewriting ability. I haven't been paying much attention to that branch, you should probably read up on it. Possible that it's only in the dev branch - like I said I haven't been paying much attention.
But I don't find anything about hostname.
The strangest thing is that it was working fine a few weeks ago but it has suddenly stopped working :-(
Somebody changed either the syslog-ng server or your client. Maybe not even configs, but version upgrade on the client perhaps. -- Nate
An Emacs reference mug is what I want. It would hold ten gallons of coffee. -- Steve VanDevender And, no doubt, have a lid that could only be removed with an obscure finger combination requiring both hands. (Ctrl-Alt-Meta-X gimme-the-damn-coffee) -- William Beegle
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_________________________________________________________________ Grand passioné ? Rassemblez tout ce qui vous intéresse en un seul endroit ! http://get.live.com/live/features
participants (2)
-
Delphine D
-
Nate Campi