Losing Original Information from Forwarded syslog Messages
We are using syslog-ng on an AIX system as the collection point for a large network of IBM, Sun, and "communication device" systems. In addition to logging the received messages, syslog-ng forwards all messages on to named pipes which are monitored by a daemon whose task it is to "real-time" watch for "configurable" activity. (e.g.: "connection refused" messages from a single external system occurring on multiple of our systems, etc.) All of this is working just fine. We have one Sun server which acts as the focus for message from our CISCO routers. That server forwards its messages on to our central syslog-ng server. We now want to watch for failure condition messages from those communication devices, making use of the daemon already in place. What we're faced with though is the stripping of the original source detail when the Sun box's syslogd forwards the message. As example of what we're facing, please see below the source substitution performed by syslogd on the forward. The original message (obviously with a bogus hostname) as logged on the Sun server is: Sep 11 09:42:01 dddd.ddd.ddd.ddd 2939: Sep 11 09:41:59 EDT: %LINK-4-ERROR: FastEthernet0/7 is experiencing errors While that received by syslog-ng in the AIX system is: Sep 11 09:40:57 ssss.sss.sss.sss 2939: Sep 11 09:41:59 EDT: %LINK-4-ERROR: FastEthernet0/7 is experiencing errors My question is this: Is there a way to configure syslogd or syslog-ng so that the entire original message is forwarded? Thanks in advance! John --- John A. Parker Senior Programmer/Analyst - AIX Cornell University jap54@cornell.edu 607-255-9356 607-255-8521 (Fax)
On Mon, Sep 11, 2000 at 10:10:00AM -0400, John A. Parker wrote:
We are using syslog-ng on an AIX system as the collection point for a large network of IBM, Sun, and "communication device" systems. In addition to logging the received messages, syslog-ng forwards all messages on to named pipes which are monitored by a daemon whose task it is to "real-time" watch for "configurable" activity. (e.g.: "connection refused" messages from a single external system occurring on multiple of our systems, etc.) All of this is working just fine.
We have one Sun server which acts as the focus for message from our CISCO routers. That server forwards its messages on to our central syslog-ng server. We now want to watch for failure condition messages from those communication devices, making use of the daemon already in place. What we're faced with though is the stripping of the original source detail when the Sun box's syslogd forwards the message.
As example of what we're facing, please see below the source substitution performed by syslogd on the forward.
The original message (obviously with a bogus hostname) as logged on the Sun server is:
Sep 11 09:42:01 dddd.ddd.ddd.ddd 2939: Sep 11 09:41:59 EDT: %LINK-4-ERROR: FastEthernet0/7 is experiencing errors
While that received by syslog-ng in the AIX system is:
Sep 11 09:40:57 ssss.sss.sss.sss 2939: Sep 11 09:41:59 EDT: %LINK-4-ERROR: FastEthernet0/7 is experiencing errors
My question is this: Is there a way to configure syslogd or syslog-ng so that the entire original message is forwarded?
enable the chain_hostnames option in syslog-ng. it'll change the log format, but information is not lost. alternatively you could use the keep_hostname() option, in which case hostnames are not touched by syslog-ng. options { keep_hostname(yes); }; or options { chain_hostnames(yes); }; -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
participants (2)
-
Balazs Scheidler
-
John A. Parker