Syslog-ng on Solaris 9 problem
Hello experts, today we switched our syslog-ng server from linux (CentOS 5.5) to a Solaris 9 box. All went well, until I noticed that syslog-ng obviously changes some of the log entries. Here are the 2 examples I noticed: Message on the local host: Oct 18 14:19:15 xxx kernel: IN=eth1 OUT= MAC=xxx SRC=xxx DST=xxx LEN=235 TOS=0x00 PREC=0x00 TTL=128 ID=119 PROTO=UDP SPT=138 DPT=138 LEN=215 Message on the syslog-ng server: Oct 18 14:19:15 xxx kernel: kernel: IN=eth1 OUT= MAC=xxx SRC=xxx DST=xxx LEN=235 TOS=0x00 PREC=0x00 TTL=128 ID=119 PROTO=UDP SPT=138 DPT=138 LEN=215 (one "kernel: " added) Message on the local host: Oct 18 14:03:06 xxx last message repeated 2 times Message on the syslog-ng server: Oct 18 14:03:06 xxx last: message repeated 2 times (one ":" added) On Linux I never saw this behaviour. Until now I couldn't find the mistake. What am I doing wrong? Did anyone else see something like this? Thanks in advance for your help. Kind regards, Elgin Lorenz -- Elgin Lorenz BTU Cottbus Universitaetsrechenzentrum Tel. 0355 693573 E-Mail lorenz@tu-cottbus.de
On Mon, 2010-10-18 at 14:41 +0200, Elgin Lorenz wrote:
Hello experts,
today we switched our syslog-ng server from linux (CentOS 5.5) to a Solaris 9 box. All went well, until I noticed that syslog-ng obviously changes some of the log entries.
Here are the 2 examples I noticed:
Message on the local host: Oct 18 14:19:15 xxx kernel: IN=eth1 OUT= MAC=xxx SRC=xxx DST=xxx LEN=235 TOS=0x00 PREC=0x00 TTL=128 ID=119 PROTO=UDP SPT=138 DPT=138 LEN=215
Message on the syslog-ng server: Oct 18 14:19:15 xxx kernel: kernel: IN=eth1 OUT= MAC=xxx SRC=xxx DST=xxx LEN=235 TOS=0x00 PREC=0x00 TTL=128 ID=119 PROTO=UDP SPT=138 DPT=138 LEN=215
(one "kernel: " added)
Message on the local host: Oct 18 14:03:06 xxx last message repeated 2 times
Message on the syslog-ng server: Oct 18 14:03:06 xxx last: message repeated 2 times
(one ":" added)
On Linux I never saw this behaviour. Until now I couldn't find the mistake. What am I doing wrong? Did anyone else see something like this?
Thanks in advance for your help.
I don't know the syslog-ng version, but can you try: flags(store-legacy-msghdr) flag on your source? -- Bazsi
Balazs Scheidler wrote:
On Mon, 2010-10-18 at 14:41 +0200, Elgin Lorenz wrote:
Hello experts,
today we switched our syslog-ng server from linux (CentOS 5.5) to a Solaris 9 box. All went well, until I noticed that syslog-ng obviously changes some of the log entries.
Here are the 2 examples I noticed:
Message on the local host: Oct 18 14:19:15 xxx kernel: IN=eth1 OUT= MAC=xxx SRC=xxx DST=xxx LEN=235 TOS=0x00 PREC=0x00 TTL=128 ID=119 PROTO=UDP SPT=138 DPT=138 LEN=215
Message on the syslog-ng server: Oct 18 14:19:15 xxx kernel: kernel: IN=eth1 OUT= MAC=xxx SRC=xxx DST=xxx LEN=235 TOS=0x00 PREC=0x00 TTL=128 ID=119 PROTO=UDP SPT=138 DPT=138 LEN=215
(one "kernel: " added)
Message on the local host: Oct 18 14:03:06 xxx last message repeated 2 times
Message on the syslog-ng server: Oct 18 14:03:06 xxx last: message repeated 2 times
(one ":" added)
On Linux I never saw this behaviour. Until now I couldn't find the mistake. What am I doing wrong? Did anyone else see something like this?
Thanks in advance for your help.
I don't know the syslog-ng version, but can you try: flags(store-legacy-msghdr) flag on your source?
Thank you for your reply. I'm sorry I forgot to mention its syslog-ng-3.0.4. I tried the option you suggestet. It changed the "last message repeated" log entry, this one is correct now. The "kernel: kernel: " entry is still wrong. The source driver looks like this: source s_udp { udp (ip(xxx.xxx.xxx.xxx) port(xxx) flags(store-legacy-msghdr)); }; Any other ideas? Thanks in advance. Kind regards, Elgin Lorenz -- Elgin Lorenz BTU Cottbus Universitaetsrechenzentrum Tel. 0355 693573 E-Mail lorenz@tu-cottbus.de
On Wed, Oct 20, 2010 at 01:40:44PM +0200, Elgin Lorenz wrote:
Thank you for your reply.
I'm sorry I forgot to mention its syslog-ng-3.0.4.
I tried the option you suggestet. It changed the "last message repeated" log entry, this one is correct now. The "kernel: kernel: " entry is still wrong.
The source driver looks like this:
source s_udp { udp (ip(xxx.xxx.xxx.xxx) port(xxx) flags(store-legacy-msghdr)); };
Any other ideas?
Could it be you need the same flag set on your other source for the kernel?
Thanks in advance.
Kind regards, Elgin Lorenz
MfG, Matthew Hall.
Matthew Hall wrote:
On Wed, Oct 20, 2010 at 01:40:44PM +0200, Elgin Lorenz wrote:
Thank you for your reply.
I'm sorry I forgot to mention its syslog-ng-3.0.4.
I tried the option you suggestet. It changed the "last message repeated" log entry, this one is correct now. The "kernel: kernel: " entry is still wrong.
The source driver looks like this:
source s_udp { udp (ip(xxx.xxx.xxx.xxx) port(xxx) flags(store-legacy-msghdr)); };
Any other ideas?
Could it be you need the same flag set on your other source for the kernel?
Thank you for your reply. I'm afraid I don't know exactly what you mean. There is only one source driver for remote sources, it is the above mentioned. The only other source driver is the sun-streams driver for Solaris messages: source s_sys { sun-streams ("/dev/log" door("/etc/.syslog_door")); internal(); }; It seems to work correctly for all messages. Anyway I tried the flag option with this driver, but is doesn't seem to accept it, I always get a syntax error. Kind regards, Elgin Lorenz -- Elgin Lorenz BTU Cottbus Universitaetsrechenzentrum Tel. 0355 693573 E-Mail lorenz@tu-cottbus.de
On Thu, 2010-10-21 at 13:51 +0200, Elgin Lorenz wrote:
Matthew Hall wrote:
On Wed, Oct 20, 2010 at 01:40:44PM +0200, Elgin Lorenz wrote:
Thank you for your reply.
I'm sorry I forgot to mention its syslog-ng-3.0.4.
I tried the option you suggestet. It changed the "last message repeated" log entry, this one is correct now. The "kernel: kernel: " entry is still wrong.
The source driver looks like this:
source s_udp { udp (ip(xxx.xxx.xxx.xxx) port(xxx) flags(store-legacy-msghdr)); };
Any other ideas?
Could it be you need the same flag set on your other source for the kernel?
Thank you for your reply.
I'm afraid I don't know exactly what you mean.
There is only one source driver for remote sources, it is the above mentioned.
The only other source driver is the sun-streams driver for Solaris messages:
source s_sys { sun-streams ("/dev/log" door("/etc/.syslog_door")); internal(); };
It seems to work correctly for all messages. Anyway I tried the flag option with this driver, but is doesn't seem to accept it, I always get a syntax error.
The question is where those "kernel" messages are coming from? Are those locally generated or are they coming on the udp source? -- Bazsi
Balazs Scheidler wrote:
On Thu, 2010-10-21 at 13:51 +0200, Elgin Lorenz wrote:
Matthew Hall wrote:
On Wed, Oct 20, 2010 at 01:40:44PM +0200, Elgin Lorenz wrote:
Thank you for your reply.
I'm sorry I forgot to mention its syslog-ng-3.0.4.
I tried the option you suggestet. It changed the "last message repeated" log entry, this one is correct now. The "kernel: kernel: " entry is still wrong.
The source driver looks like this:
source s_udp { udp (ip(xxx.xxx.xxx.xxx) port(xxx) flags(store-legacy-msghdr)); };
Any other ideas? Could it be you need the same flag set on your other source for the kernel?
Thank you for your reply.
I'm afraid I don't know exactly what you mean.
There is only one source driver for remote sources, it is the above mentioned.
The only other source driver is the sun-streams driver for Solaris messages:
source s_sys { sun-streams ("/dev/log" door("/etc/.syslog_door")); internal(); };
It seems to work correctly for all messages. Anyway I tried the flag option with this driver, but is doesn't seem to accept it, I always get a syntax error.
The question is where those "kernel" messages are coming from? Are those locally generated or are they coming on the udp source?
They are coming from remote machines on the udp source. Locally generated messages appear correctly. Kind regards, Elgin Lorenz -- Elgin Lorenz BTU Cottbus Universitaetsrechenzentrum Tel. 0355 693573 E-Mail lorenz@tu-cottbus.de
On Fri, 2010-10-22 at 12:35 +0200, Elgin Lorenz wrote:
Balazs Scheidler wrote:
On Thu, 2010-10-21 at 13:51 +0200, Elgin Lorenz wrote:
Matthew Hall wrote:
On Wed, Oct 20, 2010 at 01:40:44PM +0200, Elgin Lorenz wrote:
Thank you for your reply.
I'm sorry I forgot to mention its syslog-ng-3.0.4.
I tried the option you suggestet. It changed the "last message repeated" log entry, this one is correct now. The "kernel: kernel: " entry is still wrong.
The source driver looks like this:
source s_udp { udp (ip(xxx.xxx.xxx.xxx) port(xxx) flags(store-legacy-msghdr)); };
Any other ideas? Could it be you need the same flag set on your other source for the kernel?
Thank you for your reply.
I'm afraid I don't know exactly what you mean.
There is only one source driver for remote sources, it is the above mentioned.
The only other source driver is the sun-streams driver for Solaris messages:
source s_sys { sun-streams ("/dev/log" door("/etc/.syslog_door")); internal(); };
It seems to work correctly for all messages. Anyway I tried the flag option with this driver, but is doesn't seem to accept it, I always get a syntax error.
The question is where those "kernel" messages are coming from? Are those locally generated or are they coming on the udp source?
They are coming from remote machines on the udp source. Locally generated messages appear correctly.
But then, those machines probably generate these messages this way in the first place. Are they using the same configuration? -- Bazsi
Balazs Scheidler wrote:
On Fri, 2010-10-22 at 12:35 +0200, Elgin Lorenz wrote:
Balazs Scheidler wrote:
On Thu, 2010-10-21 at 13:51 +0200, Elgin Lorenz wrote:
Matthew Hall wrote:
On Wed, Oct 20, 2010 at 01:40:44PM +0200, Elgin Lorenz wrote:
Thank you for your reply.
I'm sorry I forgot to mention its syslog-ng-3.0.4.
I tried the option you suggestet. It changed the "last message repeated" log entry, this one is correct now. The "kernel: kernel: " entry is still wrong.
The source driver looks like this:
source s_udp { udp (ip(xxx.xxx.xxx.xxx) port(xxx) flags(store-legacy-msghdr)); };
Any other ideas? Could it be you need the same flag set on your other source for the kernel?
Thank you for your reply.
I'm afraid I don't know exactly what you mean.
There is only one source driver for remote sources, it is the above mentioned.
The only other source driver is the sun-streams driver for Solaris messages:
source s_sys { sun-streams ("/dev/log" door("/etc/.syslog_door")); internal(); };
It seems to work correctly for all messages. Anyway I tried the flag option with this driver, but is doesn't seem to accept it, I always get a syntax error. The question is where those "kernel" messages are coming from? Are those locally generated or are they coming on the udp source?
They are coming from remote machines on the udp source. Locally generated messages appear correctly.
But then, those machines probably generate these messages this way in the first place. Are they using the same configuration?
The remote machines are configured to store the logs both on their own system and on the syslog-ng server. The log entries locally stored on the remote machines are correct. The same log entries delivered to the syslog-ng server contain the additional entries. Kind regards, Elgin Lorenz -- Elgin Lorenz BTU Cottbus Universitaetsrechenzentrum Tel. 0355 693573 E-Mail lorenz@tu-cottbus.de
participants (3)
-
Balazs Scheidler
-
Elgin Lorenz
-
Matthew Hall