syslog-ng incorrectly parsing some messages
I am running syslog-ng 1.8.6 on my central syslog server. The syslog clients run standard syslog daemons that come with the operating systems. Solaris, Cisco, etc. I have noticed in my syslog-ng database (mysql) that there are many entries like these. (two separate rows) | 192.168.11.27 | kern | info | info | 06 | 2005-11-05 | 22:37:20 | scsi | scsi: [ID 365881 kern.info] /sbus@2,0/QLGC,isp@1,10000 (isp0): | 512925 | ------------------------------------------------------------------------- | Firmware | kern | info | info | 06 | 2005-11-05 | 22:37:20 | Version | Version: v1.37.5, Customer: 15, Product: 0 | 512926 | These seem to be the result of syslog-ng incorrectly (or the remote client) parsing the syslog message. This is the original syslog messages that the Solaris 9 client logs to its logs. Nov 5 22:37:20 lefou scsi: [ID 365881 kern.info] /sbus@a,0/QLGC,isp@1,10000 (isp1): Nov 5 22:37:20 lefou Firmware Version: v1.37.5, Customer: 15, Product: 0 As you can see the original is two separate messages as well but what gets logged to syslog-ng's database doesn't contain the hostname for the second message. In the second entry.. the hostname is listed as "Firmware" I have found many examples of these multiline messages being parsed incorrectly if you need more. Any ideas? Thanks, Mike Another example... Nov 5 22:37:20 lefou scsi: [ID 365881 kern.info] /sbus@3,0/SUNW,fas@3,8800000 (fas0): Nov 5 22:37:20 lefou rev 2.2 FEPS chip | 192.168.11.27 | kern | info | info | 06 | 2005-11-05 | 22:37:20 | scsi | scsi: [ID 365881 kern.info] /sbus@3,0/SUNW,fas@3,8800000 (fas0): | 512932 | | rev | kern | info | info | 06 | 2005-11-05 | 22:37:20 | | 2.2 FEPS chip | 512933 |
On Mon, Nov 07, 2005 at 09:45:15PM -0500, Crayola wrote:
I have noticed in my syslog-ng database (mysql) that there are many entries like these. (two separate rows)
This is the original syslog messages that the Solaris 9 client logs to its logs.
Nov 5 22:37:20 lefou scsi: [ID 365881 kern.info] /sbus@a,0/QLGC,isp@1,10000 (isp1): Nov 5 22:37:20 lefou Firmware Version: v1.37.5, Customer: 15, Product: 0
This problem is fully explained here: http://www.campin.net/syslog-ng/syslog.html It's because when syslog-ng sees it, Solaris has left off the hostname. It looks like this (I made up the PRI value, in case anyone is wondering): <13>Nov 5 22:37:20 Firmware Version: v1.37.5, Customer: 15, Product: 0 ...and syslog-ng sees a completely valid message with a hostname "Firmware" and a program name "Version:". This happens to everyone who uses Solaris syslogd clients sooner or later, and it is exactly the reason that the bad_hostname() option was created. This means that you can do one of two things: 1. replace Solaris syslogd with syslog-ng (easy if you run something like cfengine to automate the installs, hard if not, and it might cause problems with vendor support) 2. put this in your config file: options { bad_hostname("Firmware"); ...whatever else... }; The example Solaris syslog-ng config file has bad_hostname() in it: http://www.campin.net/syslog-ng/solaris-conf.txt -- Nate "A C program is like a fast dance on a newly waxed dance floor by people carrying razors." - Waldi Ravens.
participants (2)
-
Crayola
-
Nate Campi