That is interesting. Thinking it is a version problem, I upgraded syslog-ng on another machine to 1.6.9. I attempted the same test below and got the same results. A space in the tag causes the TAG information to disappear. I am curious Evan, what are your syslog-ng options? I guess now it could be my LOGHOST environment. I am running syslog-ng 1.6.9 on a gentoo linux box running kernel 2.6-15. Here is another example of what this box does: # logger -t "alex" funny # logger -t "alex " funny Results: Jun 19 11:53:04 src@lookout alex: funny Jun 19 11:53:30 src@lookout : funny These results are on a totally separate box running a new version of syslog-ng. Since it worked in Evan's example below, syslog-ng might not be the one to blame. But what other factors could cause me to lose the TAG information of a local syslog message other than the process accepting, parsing, and storing the message itself; syslog-ng? Alex -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Evan Rempel Sent: Monday, June 19, 2006 12:50 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Losing TAG information In an AIX 5.2 machine % logger -t evan funny % logger -t "evan " funny results in Jun 19 10:47:17 casa.comp.uvic.ca casa: evan: funny Jun 19 10:47:25 casa.comp.uvic.ca casa: evan : funny In AIX 4.3.3 % logger -t evan funny % logger -t "evan " funny results in Jun 19 10:48:57 casual.uvic.ca casual: evan: funny Jun 19 10:49:03 casual.uvic.ca casual: evan : funny So, it would appear that the 1.6.8 syslog-ng does not suffer from the symptoms you describe. Evan. SOLIS, ALEX wrote:
Thank you for your reply Evan.
So, if you attempt what I did in bullet two in the previous post below do you get different results? If you do, then maybe I should consider upgrading my version of syslog-ng. Thanks again.
Alex
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Evan Rempel Sent: Monday, June 19, 2006 10:38 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Losing TAG information
All I can really add is that we have a mix ov AIX 4.3.3 through 5.3 that are logging to a linux syslog-ng 1.6.8 machine and we are not experiencing the symptoms that you describe. I have a couple of applications where the tag ends up being "syslog" when it should be something else, but that is quite a bit different than removing it entirely.
Evan.
SOLIS, ALEX wrote:
I appreciate your sympathy but it does not help me with my TAG problem. :)
Anyone else have any idea how to stop syslog-ng from purging the TAG information from an AIX syslogd message. I have successfully sniffed syslog traffic between the AIX servers and my LOGHOST. The TAG (Process Name info) is definitely intact on the wire. This confirms that syslog-ng is simply parsing the log message and removing the TAG info.
I did some more tests on the Linux LOGHOST using the logger utility and I found that syslog-ng does not like spaces after the TAG information. For example:
1) Logger -p syslog.info -t "TEST_TAG" "TEST_MESSAGE"
Generates the log:
Jun 19 08:42:38 loghost TEST_TAG: TEST_MESSAGE
2) Logger -p syslog.info -t "TEST_TAG " "TEST_MESSAGE"
Generates the log:
Jun 19 08:44:08 loghost : TEST_MESSAGE
Example two lost the TAG information because of the space after TEST_TAG. I have considered the possibility that the messages being sent from the AIX box do not conform to syslog formatting standards and therefore syslog-ng discards the field. But I would like to know if there is anything that can be done to stop this behavior.
Thanks for all responses, even sympathetic ones. :)
Alex
-----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, June 13, 2006 9:09 PM To: SOLIS, ALEX Subject: Re: [syslog-ng] Losing TAG information
On Tue, 13 Jun 2006 10:07:33 CDT, "SOLIS, ALEX" said:
(off-list reply)
I have about 20 or so AIX 4.3 servers that are sending syslog messages to a Linux desktop running syslog-ng 1.6.5. You have my condolences. IBM dropped support for even AIX 4.3.3 several years ago - hopefully you're not having problems keeping the software running and secure... -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, June 13, 2006 9:09 PM To: SOLIS, ALEX Subject: Re: [syslog-ng] Losing TAG information
On Tue, 13 Jun 2006 10:07:33 CDT, "SOLIS, ALEX" said:
(off-list reply)
I have about 20 or so AIX 4.3 servers that are sending syslog messages to a Linux desktop running syslog-ng 1.6.5. You have my condolences. IBM dropped support for even AIX 4.3.3 several years ago - hopefully you're not having problems keeping the software running and secure...
This e-mail contains Omaha Public Power District's confidential and proprietary information and is for use only by the intended recipient. Unless explicitly stated otherwise, this e-mail is not a contract offer, amendment, nor acceptance. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Evan Rempel erempel@uvic.ca Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html This e-mail contains Omaha Public Power District's confidential and proprietary information and is for use only by the intended recipient. Unless explicitly stated otherwise, this e-mail is not a contract offer, amendment, nor acceptance. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
Try switching back to default syslog and see if the same symptom occurs. That would point to a problem in the kernel handling of data destined for /dev/log. My environment is Redhat AS 3 update 5 (perhaps 6). That works out to kernel 2.4.21. The syslog-ng.conf is options { sync(0); log_fifo_size(100000); use_fqdn(yes); keep_hostname(no); chain_hostnames(no); time_reap(60); time_reopen(5); use_time_recvd(no); }; source local { unix-dgram("/dev/log"); file("/proc/kmsg" log_prefix("kernel: ")); internal(); }; source network { udp(port(514)); }; ... a whole bunch of destinations, filters and log lines, but no flags or options on them. Evan. SOLIS, ALEX wrote:
That is interesting. Thinking it is a version problem, I upgraded syslog-ng on another machine to 1.6.9. I attempted the same test below and got the same results. A space in the tag causes the TAG information to disappear.
I am curious Evan, what are your syslog-ng options?
I guess now it could be my LOGHOST environment. I am running syslog-ng 1.6.9 on a gentoo linux box running kernel 2.6-15. Here is another example of what this box does:
# logger -t "alex" funny # logger -t "alex " funny
Results:
Jun 19 11:53:04 src@lookout alex: funny Jun 19 11:53:30 src@lookout : funny
These results are on a totally separate box running a new version of syslog-ng. Since it worked in Evan's example below, syslog-ng might not be the one to blame. But what other factors could cause me to lose the TAG information of a local syslog message other than the process accepting, parsing, and storing the message itself; syslog-ng?
Alex
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Evan Rempel Sent: Monday, June 19, 2006 12:50 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Losing TAG information
In an AIX 5.2 machine
% logger -t evan funny % logger -t "evan " funny
results in
Jun 19 10:47:17 casa.comp.uvic.ca casa: evan: funny Jun 19 10:47:25 casa.comp.uvic.ca casa: evan : funny
In AIX 4.3.3
% logger -t evan funny % logger -t "evan " funny
results in
Jun 19 10:48:57 casual.uvic.ca casual: evan: funny Jun 19 10:49:03 casual.uvic.ca casual: evan : funny
So, it would appear that the 1.6.8 syslog-ng does not suffer from the symptoms you describe.
Evan.
SOLIS, ALEX wrote:
Thank you for your reply Evan.
So, if you attempt what I did in bullet two in the previous post below do you get different results? If you do, then maybe I should consider upgrading my version of syslog-ng. Thanks again.
Alex
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Evan Rempel Sent: Monday, June 19, 2006 10:38 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Losing TAG information
All I can really add is that we have a mix ov AIX 4.3.3 through 5.3
that
are logging to a linux syslog-ng 1.6.8 machine and we are not experiencing the symptoms that you describe. I have a couple of applications where the tag ends up being "syslog" when it should be something else, but that is quite a bit different than removing it entirely.
Evan.
SOLIS, ALEX wrote:
I appreciate your sympathy but it does not help me with my TAG
problem.
:)
Anyone else have any idea how to stop syslog-ng from purging the TAG information from an AIX syslogd message. I have successfully sniffed syslog traffic between the AIX servers and my LOGHOST. The TAG
(Process
Name info) is definitely intact on the wire. This confirms that syslog-ng is simply parsing the log message and removing the TAG
info.
I did some more tests on the Linux LOGHOST using the logger utility
and
I found that syslog-ng does not like spaces after the TAG
information.
For example:
1) Logger -p syslog.info -t "TEST_TAG" "TEST_MESSAGE"
Generates the log:
Jun 19 08:42:38 loghost TEST_TAG: TEST_MESSAGE
2) Logger -p syslog.info -t "TEST_TAG " "TEST_MESSAGE"
Generates the log:
Jun 19 08:44:08 loghost : TEST_MESSAGE
Example two lost the TAG information because of the space after TEST_TAG. I have considered the possibility that the messages being sent from the AIX box do not conform to syslog formatting standards
and
therefore syslog-ng discards the field. But I would like to know if there is anything that can be done to stop this behavior.
Thanks for all responses, even sympathetic ones. :)
Alex
-----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, June 13, 2006 9:09 PM To: SOLIS, ALEX Subject: Re: [syslog-ng] Losing TAG information
On Tue, 13 Jun 2006 10:07:33 CDT, "SOLIS, ALEX" said:
(off-list reply)
I have about 20 or so AIX 4.3 servers that are sending syslog
messages
to a Linux desktop running syslog-ng 1.6.5.
You have my condolences. IBM dropped support for even AIX 4.3.3
several
years ago - hopefully you're not having problems keeping the software running and secure... -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, June 13, 2006 9:09 PM To: SOLIS, ALEX Subject: Re: [syslog-ng] Losing TAG information
On Tue, 13 Jun 2006 10:07:33 CDT, "SOLIS, ALEX" said:
(off-list reply)
I have about 20 or so AIX 4.3 servers that are sending syslog
messages
to a Linux desktop running syslog-ng 1.6.5.
You have my condolences. IBM dropped support for even AIX 4.3.3
several
years ago - hopefully you're not having problems keeping the software running and secure...
This e-mail contains Omaha Public Power District's confidential and
proprietary information and is for use only by the intended recipient. Unless explicitly stated otherwise, this e-mail is not a contract
offer,
amendment, nor acceptance. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any
action
in reliance on the contents of this information is strictly
prohibited.
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at
http://www.campin.net/syslog-ng/faq.html
participants (2)
-
Evan Rempel
-
SOLIS, ALEX