Duplicate header ? - syslog-ng - lists.balabit.hu

newer
Re: [syslog-ng] Filter Not Working...

Duplicate header ?

older
Filter Not Working (too many...

Scot

8 Jun 2017 8 Jun '17

7:04 p.m.

I seem to be getting a duplicate host header in my udp syslog input where the IP is printed twice. IP/IP any ideas where it comes from ? Same result for either of these. #source s_net_udp {udp(ip(0.0.0.0) port(514) keep_hostname(yes) so_rcvbuf(262142));}; #source s_net_udp {syslog(ip(10.189.252.62) port(514) transport("udp") flags(no-hostname) so_rcvbuf(262142));}; Jun 8 13:55:21 *192.168.10.10/192.168.10.10 <http://192.168.10.10/192.168.10.10> * fw-aplha %ASA-4-106 ..............

Attachments:

attachment.html (text/html — 746 bytes)

Show replies by date

Evan Rempel

8 Jun 8 Jun

7:07 p.m.

That is what you get when you set keep_hostname(yes) The first IP address is the one placed into the message (on the wire) by the source device. The second one is added by the local/receiving syslog-ng system. If you enabled the DNS for this, you would get the locally resolved DNS name for that IP. Evan. On 06/08/2017 11:04 AM, Scot wrote:

I seem to be getting a duplicate host header in my udp syslog input where the IP is printed twice.

IP/IP any ideas where it comes from ?

Same result for either of these. #source s_net_udp {udp(ip(0.0.0.0) port(514) keep_hostname(yes) so_rcvbuf(262142));}; #source s_net_udp {syslog(ip(10.189.252.62) port(514) transport("udp") flags(no-hostname) so_rcvbuf(262142));};

Jun 8 13:55:21 *192.168.10.10/192.168.10.10 <http://192.168.10.10/192.168.10.10> * fw-aplha %ASA-4-106 ..............

Fabien Wernli

9:14 p.m.

New subject: ReRe: Duplicate header ?

On Thu, Jun 08, 2017 at 11:07:49AM -0700, Evan Rempel wrote:

That is what you get when you set keep_hostname(yes)

I think you meant chain_hostnames(yes)

Scot

11:39 p.m.

New subject: ReRe: Duplicate header ?

Yep chain_hostnames or the combination of the two were the suspect. I forgot I had set it in a global conf. Good table here. https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-o... On Thu, Jun 8, 2017 at 4:14 PM, Fabien Wernli <wernli@in2p3.fr> wrote:

On Thu, Jun 08, 2017 at 11:07:49AM -0700, Evan Rempel wrote:

...
That is what you get when you set keep_hostname(yes)

I think you meant chain_hostnames(yes)

____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

2998

Age (days ago)

2998

Last active (days ago)

Download

3 comments

3 participants

tags

participants (3)

Evan Rempel
Fabien Wernli
Scot