syslog-ng loses hostname information on some syslog logs sent via UDP
Hi, I am running syslog-ng on a HP-UX server listening on UDP port 514. It is receiving logs from syslogd running on another server. For some messages syslog-ng does not log the hostname information found in the UDP packet. Rather, it mistakes some data in UDP as the hostname information. Here is the complete information. syslog-ng 2.0.9 on HP-UX. Syslogd on node01 sends logs to syslog-ng on node02. The logs in node02 are, Jan 9 11:55:11 node01 root: testing1 Jan 9 11:55:32 above message repeats 5 times Jan 9 11:55:32 node01 root: testing4 Notice that hostname is missing in the second message. tcpdump on UDP port 514 for the above logs 11:57:26.183996 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39220, offset 0, flags [DF], proto UDP (17), length 62) node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 34 Facility user (1), Severity notice (5) Msg: Jan 9 11:55:11 root: testing1 0x0000: 3c31 333e 4a61 6e20 2039 2031 313a 3535 0x0010: 3a31 3120 726f 6f74 3a20 7465 7374 696e 0x0020: 6731 0x0000: 0030 6e4a 3244 0030 6e4b 2637 0800 4500 .0nJ2D.0nK&7..E. 0x0010: 003e 9934 4000 4011 3c2c 10b5 a1f0 10b5 .>.4@.@.<,...... 0x0020: a1f4 e03b 0202 002a a973 3c31 333e 4a61 ...;...*.s<13>Ja 0x0030: 6e20 2039 2031 313a 3535 3a31 3120 726f n..9.11:55:11.ro 0x0040: 6f74 3a20 7465 7374 696e 6731 ot:.testing1 11:57:26.185727 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 64, id 39221, offset 0, flags [DF], proto UDP (17), length 78) node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 50 Facility user (1), Severity notice (5) Msg: Jan 9 11:55:32 above message repeats 5 times 0x0000: 3c31 333e 4a61 6e20 2039 2031 313a 3535 0x0010: 3a33 3220 2061 626f 7665 206d 6573 7361 0x0020: 6765 2072 6570 6561 7473 2035 2074 696d 0x0030: 6573 0x0000: 0030 6e4a 3244 0030 6e4b 2637 0800 4500 .0nJ2D.0nK&7..E. 0x0010: 004e 9935 4000 4011 3c1b 10b5 a1f0 10b5 .N.5@.@.<....... 0x0020: a1f4 e03b 0202 003a b3b0 3c31 333e 4a61 ...;...:..<13>Ja 0x0030: 6e20 2039 2031 313a 3535 3a33 3220 2061 n..9.11:55:32..a 0x0040: 626f 7665 206d 6573 7361 6765 2072 6570 bove.message.rep 0x0050: 6561 7473 2035 2074 696d 6573 eats.5.times 11:57:26.186879 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39222, offset 0, flags [DF], proto UDP (17), length 62) node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 34 Facility user (1), Severity notice (5) Msg: Jan 9 11:55:32 root: testing4 0x0000: 3c31 333e 4a61 6e20 2039 2031 313a 3535 0x0010: 3a33 3220 726f 6f74 3a20 7465 7374 696e 0x0020: 6734 0x0000: 0030 6e4a 3244 0030 6e4b 2637 0800 4500 .0nJ2D.0nK&7..E. 0x0010: 003e 9936 4000 4011 3c2a 10b5 a1f0 10b5 .>.6@.@.<*...... 0x0020: a1f4 e03b 0202 002a a86e 3c31 333e 4a61 ...;...*.n<13>Ja 0x0030: 6e20 2039 2031 313a 3535 3a33 3220 726f n..9.11:55:32.ro 0x0040: 6f74 3a20 7465 7374 696e 6734 ot:.testing4 When I change keep_hostname(yes) to keep_hostname(no) and add the chain_hostnames(yes) option I get the following logged. Jan 9 11:55:22 node01/node01 root: testing3 Jan 9 11:57:13 above/node01 message repeats 6 times Jan 9 11:57:13 node01/node01 root: testing8 I would say, syslog-ng is confusing 'above' as the hostname before rewriting hostname. The tcpdump for these logs are 11:59:06.362374 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39223, offset 0, flags [DF], proto UDP (17), length 62) node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 34 Facility user (1), Severity notice (5) Msg: Jan 9 11:55:22 root: testing3 0x0000: 3c31 333e 4a61 6e20 2039 2031 313a 3535 0x0010: 3a32 3220 726f 6f74 3a20 7465 7374 696e 0x0020: 6733 0x0000: 0030 6e4a 3244 0030 6e4b 2637 0800 4500 .0nJ2D.0nK&7..E. 0x0010: 003e 9937 4000 4011 3c29 10b5 a1f0 10b5 .>.7@.@.<)...... 0x0020: a1f4 e03b 0202 002a a870 3c31 333e 4a61 ...;...*.p<13>Ja 0x0030: 6e20 2039 2031 313a 3535 3a32 3220 726f n..9.11:55:22.ro 0x0040: 6f74 3a20 7465 7374 696e 6733 ot:.testing3 11:59:06.364052 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 64, id 39224, offset 0, flags [DF], proto UDP (17), length 78) node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 50 Facility user (1), Severity notice (5) Msg: Jan 9 11:57:13 above message repeats 6 times 0x0000: 3c31 333e 4a61 6e20 2039 2031 313a 3537 0x0010: 3a31 3320 2061 626f 7665 206d 6573 7361 0x0020: 6765 2072 6570 6561 7473 2036 2074 696d 0x0030: 6573 0x0000: 0030 6e4a 3244 0030 6e4b 2637 0800 4500 .0nJ2D.0nK&7..E. 0x0010: 004e 9938 4000 4011 3c18 10b5 a1f0 10b5 .N.8@.@.<....... 0x0020: a1f4 e03b 0202 003a b2af 3c31 333e 4a61 ...;...:..<13>Ja 0x0030: 6e20 2039 2031 313a 3537 3a31 3320 2061 n..9.11:57:13..a 0x0040: 626f 7665 206d 6573 7361 6765 2072 6570 bove.message.rep 0x0050: 6561 7473 2036 2074 696d 6573 eats.6.times 11:59:06.364302 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39225, offset 0, flags [DF], proto UDP (17), length 62) node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 34 Facility user (1), Severity notice (5) Msg: Jan 9 11:57:13 root: testing8 0x0000: 3c31 333e 4a61 6e20 2039 2031 313a 3537 0x0010: 3a31 3320 726f 6f74 3a20 7465 7374 696e 0x0020: 6738 0x0000: 0030 6e4a 3244 0030 6e4b 2637 0800 4500 .0nJ2D.0nK&7..E. 0x0010: 003e 9939 4000 4011 3c27 10b5 a1f0 10b5 .>.9@.@.<'...... 0x0020: a1f4 e03b 0202 002a a76a 3c31 333e 4a61 ...;...*.j<13>Ja 0x0030: 6e20 2039 2031 313a 3537 3a31 3320 726f n..9.11:57:13.ro 0x0040: 6f74 3a20 7465 7374 696e 6738 ot:.testing8 Is this a bug on how syslogd sends the message or is it a syslog-ng logging problem? Thanks, Manu P.S: Apologies for the long mail
Hi,
I am running syslog-ng on a HP-UX server listening on UDP port 514. It is receiving logs from syslogd running on another server. For some messages syslog-ng does not log the hostname information found in the UDP packet. Rather, it mistakes some data in UDP as the hostname information.
Traditional syslogd doesn't send hostname, as clearly visible in the tcpdump output you sent...
Here is the complete information.
syslog-ng 2.0.9 on HP-UX. Syslogd on node01 sends logs to syslog-ng on node02.
The logs in node02 are,
Jan 9 11:55:11 node01 root: testing1 Jan 9 11:55:32 above message repeats 5 times Jan 9 11:55:32 node01 root: testing4
Notice that hostname is missing in the second message. tcpdump on UDP port 514 for the above logs
11:57:26.183996 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39220, offset 0, flags [DF], proto UDP (17), length 62) node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 34 Facility user (1), Severity notice (5) Msg: Jan 9 11:55:11 root: testing1 0x0000: 3c31 333e 4a61 6e20 2039 2031 313a 3535 0x0010: 3a31 3120 726f 6f74 3a20 7465 7374 696e 0x0020: 6731 0x0000: 0030 6e4a 3244 0030 6e4b 2637 0800 4500 .0nJ2D.0nK&7..E. 0x0010: 003e 9934 4000 4011 3c2c 10b5 a1f0 10b5 .>.4@.@.<,...... 0x0020: a1f4 e03b 0202 002a a973 3c31 333e 4a61 ...;...*.s<13>Ja 0x0030: 6e20 2039 2031 313a 3535 3a31 3120 726f n..9.11:55:11.ro 0x0040: 6f74 3a20 7465 7374 696e 6731 ot:.testing1
[ cut ]
Is this a bug on how syslogd sends the message or is it a syslog-ng logging problem?
To fix either install an RFC 3164-compliant syslog daemon on the HP boxes, or use syslog-ng's bad_hostname() option. You can specify a regexp like "^above", so when syslog-ng parses the log and the regexp does match then syslog-ng will skip hostname parsing. Regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
On Fri, 2009-01-09 at 07:02 +0000, Geller, Sandor (IT) wrote:
Hi,
I am running syslog-ng on a HP-UX server listening on UDP port 514. It is receiving logs from syslogd running on another server. For some messages syslog-ng does not log the hostname information found in the UDP packet. Rather, it mistakes some data in UDP as the hostname information.
Traditional syslogd doesn't send hostname, as clearly visible in the tcpdump output you sent...
Here is the complete information.
syslog-ng 2.0.9 on HP-UX. Syslogd on node01 sends logs to syslog-ng on node02.
The logs in node02 are,
Jan 9 11:55:11 node01 root: testing1 Jan 9 11:55:32 above message repeats 5 times Jan 9 11:55:32 node01 root: testing4
Notice that hostname is missing in the second message. tcpdump on UDP port 514 for the above logs
11:57:26.183996 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39220, offset 0, flags [DF], proto UDP (17), length 62) node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 34 Facility user (1), Severity notice (5) Msg: Jan 9 11:55:11 root: testing1 0x0000: 3c31 333e 4a61 6e20 2039 2031 313a 3535 0x0010: 3a31 3120 726f 6f74 3a20 7465 7374 696e 0x0020: 6731 0x0000: 0030 6e4a 3244 0030 6e4b 2637 0800 4500 .0nJ2D.0nK&7..E. 0x0010: 003e 9934 4000 4011 3c2c 10b5 a1f0 10b5 .>.4@.@.<,...... 0x0020: a1f4 e03b 0202 002a a973 3c31 333e 4a61 ...;...*.s<13>Ja 0x0030: 6e20 2039 2031 313a 3535 3a31 3120 726f n..9.11:55:11.ro 0x0040: 6f74 3a20 7465 7374 696e 6731 ot:.testing1
[ cut ]
Is this a bug on how syslogd sends the message or is it a syslog-ng logging problem?
To fix either install an RFC 3164-compliant syslog daemon on the HP boxes, or use syslog-ng's bad_hostname() option. You can specify a regexp like "^above", so when syslog-ng parses the log and the regexp does match then syslog-ng will skip hostname parsing.
The bigger problem is that _some_ syslogds send hostname, others don't. And this can happen on the _same_ listener. bad_hostnames() is one option, but this could probably also be resolved using the rewrite features of syslog-ng 3.0. -- Bazsi
participants (3)
-
Balazs Scheidler
-
D S, Manu (STSD)
-
Geller, Sandor (IT)