RE: [syslog-ng] Losing TAG information
I appreciate your sympathy but it does not help me with my TAG problem. :) Anyone else have any idea how to stop syslog-ng from purging the TAG information from an AIX syslogd message. I have successfully sniffed syslog traffic between the AIX servers and my LOGHOST. The TAG (Process Name info) is definitely intact on the wire. This confirms that syslog-ng is simply parsing the log message and removing the TAG info. I did some more tests on the Linux LOGHOST using the logger utility and I found that syslog-ng does not like spaces after the TAG information. For example: 1) Logger -p syslog.info -t "TEST_TAG" "TEST_MESSAGE" Generates the log: Jun 19 08:42:38 loghost TEST_TAG: TEST_MESSAGE 2) Logger -p syslog.info -t "TEST_TAG " "TEST_MESSAGE" Generates the log: Jun 19 08:44:08 loghost : TEST_MESSAGE Example two lost the TAG information because of the space after TEST_TAG. I have considered the possibility that the messages being sent from the AIX box do not conform to syslog formatting standards and therefore syslog-ng discards the field. But I would like to know if there is anything that can be done to stop this behavior. Thanks for all responses, even sympathetic ones. :) Alex -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, June 13, 2006 9:09 PM To: SOLIS, ALEX Subject: Re: [syslog-ng] Losing TAG information On Tue, 13 Jun 2006 10:07:33 CDT, "SOLIS, ALEX" said: (off-list reply)
I have about 20 or so AIX 4.3 servers that are sending syslog messages to a Linux desktop running syslog-ng 1.6.5.
You have my condolences. IBM dropped support for even AIX 4.3.3 several years ago - hopefully you're not having problems keeping the software running and secure... -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, June 13, 2006 9:09 PM To: SOLIS, ALEX Subject: Re: [syslog-ng] Losing TAG information On Tue, 13 Jun 2006 10:07:33 CDT, "SOLIS, ALEX" said: (off-list reply)
I have about 20 or so AIX 4.3 servers that are sending syslog messages to a Linux desktop running syslog-ng 1.6.5.
You have my condolences. IBM dropped support for even AIX 4.3.3 several years ago - hopefully you're not having problems keeping the software running and secure... This e-mail contains Omaha Public Power District's confidential and proprietary information and is for use only by the intended recipient. Unless explicitly stated otherwise, this e-mail is not a contract offer, amendment, nor acceptance. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
All I can really add is that we have a mix ov AIX 4.3.3 through 5.3 that are logging to a linux syslog-ng 1.6.8 machine and we are not experiencing the symptoms that you describe. I have a couple of applications where the tag ends up being "syslog" when it should be something else, but that is quite a bit different than removing it entirely. Evan. SOLIS, ALEX wrote:
I appreciate your sympathy but it does not help me with my TAG problem. :)
Anyone else have any idea how to stop syslog-ng from purging the TAG information from an AIX syslogd message. I have successfully sniffed syslog traffic between the AIX servers and my LOGHOST. The TAG (Process Name info) is definitely intact on the wire. This confirms that syslog-ng is simply parsing the log message and removing the TAG info.
I did some more tests on the Linux LOGHOST using the logger utility and I found that syslog-ng does not like spaces after the TAG information. For example:
1) Logger -p syslog.info -t "TEST_TAG" "TEST_MESSAGE"
Generates the log:
Jun 19 08:42:38 loghost TEST_TAG: TEST_MESSAGE
2) Logger -p syslog.info -t "TEST_TAG " "TEST_MESSAGE"
Generates the log:
Jun 19 08:44:08 loghost : TEST_MESSAGE
Example two lost the TAG information because of the space after TEST_TAG. I have considered the possibility that the messages being sent from the AIX box do not conform to syslog formatting standards and therefore syslog-ng discards the field. But I would like to know if there is anything that can be done to stop this behavior.
Thanks for all responses, even sympathetic ones. :)
Alex
-----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, June 13, 2006 9:09 PM To: SOLIS, ALEX Subject: Re: [syslog-ng] Losing TAG information
On Tue, 13 Jun 2006 10:07:33 CDT, "SOLIS, ALEX" said:
(off-list reply)
I have about 20 or so AIX 4.3 servers that are sending syslog messages to a Linux desktop running syslog-ng 1.6.5.
You have my condolences. IBM dropped support for even AIX 4.3.3 several years ago - hopefully you're not having problems keeping the software running and secure... -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, June 13, 2006 9:09 PM To: SOLIS, ALEX Subject: Re: [syslog-ng] Losing TAG information
On Tue, 13 Jun 2006 10:07:33 CDT, "SOLIS, ALEX" said:
(off-list reply)
I have about 20 or so AIX 4.3 servers that are sending syslog messages to a Linux desktop running syslog-ng 1.6.5.
You have my condolences. IBM dropped support for even AIX 4.3.3 several years ago - hopefully you're not having problems keeping the software running and secure...
This e-mail contains Omaha Public Power District's confidential and proprietary information and is for use only by the intended recipient. Unless explicitly stated otherwise, this e-mail is not a contract offer, amendment, nor acceptance. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Evan Rempel erempel@uvic.ca Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria
Are you running syslog-ng on the AIX host as well? I think you probably aren't. SRV4-type boxes leave out the hostname when sending syslogs over the wire, but leave the rest of the header intact: http://www.campin.net/syslog-ng/syslog.html#missing_parts This is highly confusing behavior, especially when there are spaces in the program name. This is why I requested and Bazsi created the "bad_hostname()" option. Either put syslog-ng on the AIX boxes or use bad_hostname() on your syslog-ng loghost. On Mon, Jun 19, 2006 at 09:21:05AM -0500, SOLIS, ALEX wrote:
I appreciate your sympathy but it does not help me with my TAG problem. :)
Anyone else have any idea how to stop syslog-ng from purging the TAG information from an AIX syslogd message. I have successfully sniffed syslog traffic between the AIX servers and my LOGHOST. The TAG (Process Name info) is definitely intact on the wire. This confirms that syslog-ng is simply parsing the log message and removing the TAG info.
I did some more tests on the Linux LOGHOST using the logger utility and I found that syslog-ng does not like spaces after the TAG information. For example:
1) Logger -p syslog.info -t "TEST_TAG" "TEST_MESSAGE"
Generates the log:
Jun 19 08:42:38 loghost TEST_TAG: TEST_MESSAGE
2) Logger -p syslog.info -t "TEST_TAG " "TEST_MESSAGE"
Generates the log:
Jun 19 08:44:08 loghost : TEST_MESSAGE
Example two lost the TAG information because of the space after TEST_TAG. I have considered the possibility that the messages being sent from the AIX box do not conform to syslog formatting standards and therefore syslog-ng discards the field. But I would like to know if there is anything that can be done to stop this behavior.
Thanks for all responses, even sympathetic ones. :)
Alex
-----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, June 13, 2006 9:09 PM To: SOLIS, ALEX Subject: Re: [syslog-ng] Losing TAG information
On Tue, 13 Jun 2006 10:07:33 CDT, "SOLIS, ALEX" said:
(off-list reply)
I have about 20 or so AIX 4.3 servers that are sending syslog messages to a Linux desktop running syslog-ng 1.6.5.
You have my condolences. IBM dropped support for even AIX 4.3.3 several years ago - hopefully you're not having problems keeping the software running and secure... -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, June 13, 2006 9:09 PM To: SOLIS, ALEX Subject: Re: [syslog-ng] Losing TAG information
On Tue, 13 Jun 2006 10:07:33 CDT, "SOLIS, ALEX" said:
(off-list reply)
I have about 20 or so AIX 4.3 servers that are sending syslog messages to a Linux desktop running syslog-ng 1.6.5.
You have my condolences. IBM dropped support for even AIX 4.3.3 several years ago - hopefully you're not having problems keeping the software running and secure...
-- Nate I wonder why no company starts his manual with the words `We thank you for buying this piece of junk. We have done our best to make this junk as annoying as possible, and we assure that it will give you a headache for the next two months. However, if you feel satisfied with it, we will contact you for an expensive replacement.'
Thanks Nate! It seems that the bad_hostname option worked! I am going to monitor for a while to see if it has any negative effects but all preliminary investigations point to success. Im curious though, what exactly does the bad_hostname option do? You write in you post below that SRV4-type boxes leave out the hostname when sending syslogs over the wire. My packet captures have revealed that the hostnames are intact, except they have the string "Message forwarded from host" in front of it. Then a colon and then TAG information. Here is what my captured packet actually looked like: 0000 00 0d 60 b6 71 10 00 09 e8 b0 9e a1 08 00 45 00 ..`.q.........E. 0010 00 6e 75 f0 00 00 1d 11 a0 8d 0a 18 36 0a 0a 18 .nu.........6... 0020 3c c8 86 6a 02 02 00 5a a4 06 3c 31 31 3e 4a 75 <..j...Z..<11>Ju 0030 6e 20 31 33 20 31 34 3a 32 37 3a 35 30 20 4d 65 n 13 14:27:50 Me 0040 73 73 61 67 65 20 66 6f 72 77 61 72 64 65 64 20 ssage forwarded 0050 66 72 6f 6d 20 61 64 64 61 3a 20 74 65 73 74 69 from adda: testi 0060 6e 67 20 3a 20 54 65 73 74 69 6e 67 20 5e 3f 67 ng : Testing ^?g 0070 67 67 67 67 67 67 67 67 67 67 67 20 ggggggggggg As you can see the hostname is there, just not alone. What goes on to this packet with the bad_hostname() option turned on as opposed to off. Thanks. Alex -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Nate Campi Sent: Wednesday, June 21, 2006 7:55 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Losing TAG information Are you running syslog-ng on the AIX host as well? I think you probably aren't. SRV4-type boxes leave out the hostname when sending syslogs over the wire, but leave the rest of the header intact: http://www.campin.net/syslog-ng/syslog.html#missing_parts This is highly confusing behavior, especially when there are spaces in the program name. This is why I requested and Bazsi created the "bad_hostname()" option. Either put syslog-ng on the AIX boxes or use bad_hostname() on your syslog-ng loghost. On Mon, Jun 19, 2006 at 09:21:05AM -0500, SOLIS, ALEX wrote:
I appreciate your sympathy but it does not help me with my TAG
problem.
:)
Anyone else have any idea how to stop syslog-ng from purging the TAG information from an AIX syslogd message. I have successfully sniffed syslog traffic between the AIX servers and my LOGHOST. The TAG (Process Name info) is definitely intact on the wire. This confirms that syslog-ng is simply parsing the log message and removing the TAG info.
I did some more tests on the Linux LOGHOST using the logger utility and I found that syslog-ng does not like spaces after the TAG information. For example:
1) Logger -p syslog.info -t "TEST_TAG" "TEST_MESSAGE"
Generates the log:
Jun 19 08:42:38 loghost TEST_TAG: TEST_MESSAGE
2) Logger -p syslog.info -t "TEST_TAG " "TEST_MESSAGE"
Generates the log:
Jun 19 08:44:08 loghost : TEST_MESSAGE
Example two lost the TAG information because of the space after TEST_TAG. I have considered the possibility that the messages being sent from the AIX box do not conform to syslog formatting standards and therefore syslog-ng discards the field. But I would like to know if there is anything that can be done to stop this behavior.
Thanks for all responses, even sympathetic ones. :)
Alex
-----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, June 13, 2006 9:09 PM To: SOLIS, ALEX Subject: Re: [syslog-ng] Losing TAG information
On Tue, 13 Jun 2006 10:07:33 CDT, "SOLIS, ALEX" said:
(off-list reply)
I have about 20 or so AIX 4.3 servers that are sending syslog messages to a Linux desktop running syslog-ng 1.6.5.
You have my condolences. IBM dropped support for even AIX 4.3.3 several years ago - hopefully you're not having problems keeping the software running and secure... -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, June 13, 2006 9:09 PM To: SOLIS, ALEX Subject: Re: [syslog-ng] Losing TAG information
On Tue, 13 Jun 2006 10:07:33 CDT, "SOLIS, ALEX" said:
(off-list reply)
I have about 20 or so AIX 4.3 servers that are sending syslog messages to a Linux desktop running syslog-ng 1.6.5.
You have my condolences. IBM dropped support for even AIX 4.3.3 several years ago - hopefully you're not having problems keeping the software running and secure...
-- Nate I wonder why no company starts his manual with the words `We thank you for buying this piece of junk. We have done our best to make this junk as annoying as possible, and we assure that it will give you a headache for the next two months. However, if you feel satisfied with it, we will contact you for an expensive replacement.' _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html This e-mail contains Omaha Public Power District's confidential and proprietary information and is for use only by the intended recipient. Unless explicitly stated otherwise, this e-mail is not a contract offer, amendment, nor acceptance. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
On Thu, Jun 22, 2006 at 08:14:17AM -0500, SOLIS, ALEX wrote:
My packet captures have revealed that the hostnames are intact, except they have the string "Message forwarded from host" in front of it. Then a colon and then TAG information. Here is what my captured packet actually looked like:
0000 00 0d 60 b6 71 10 00 09 e8 b0 9e a1 08 00 45 00 ..`.q.........E. 0010 00 6e 75 f0 00 00 1d 11 a0 8d 0a 18 36 0a 0a 18 .nu.........6... 0020 3c c8 86 6a 02 02 00 5a a4 06 3c 31 31 3e 4a 75 <..j...Z..<11>Ju 0030 6e 20 31 33 20 31 34 3a 32 37 3a 35 30 20 4d 65 n 13 14:27:50 Me 0040 73 73 61 67 65 20 66 6f 72 77 61 72 64 65 64 20 ssage forwarded 0050 66 72 6f 6d 20 61 64 64 61 3a 20 74 65 73 74 69 from adda: testi 0060 6e 67 20 3a 20 54 65 73 74 69 6e 67 20 5e 3f 67 ng : Testing ^?g 0070 67 67 67 67 67 67 67 67 67 67 67 20 ggggggggggg
As you can see the hostname is there, just not alone. What goes on to this packet with the bad_hostname() option turned on as opposed to off.
What did you actually put into bad_hostname()? -- Nate God does not play dice. -- Einstein
It expected a regex and I wasn't sure what to put so I used: bad_hostname("."); The logic here being that syslog-ng would apply the bad hostname rule to all syslog messages. It seems to work. Please correct me if I am using this incorrectly. Alex -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Nate Campi Sent: Thursday, June 22, 2006 12:41 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Losing TAG information On Thu, Jun 22, 2006 at 08:14:17AM -0500, SOLIS, ALEX wrote:
My packet captures have revealed that the hostnames are intact, except they have the string "Message
forwarded
from host" in front of it. Then a colon and then TAG information. Here is what my captured packet actually looked like:
0000 00 0d 60 b6 71 10 00 09 e8 b0 9e a1 08 00 45 00 ..`.q.........E. 0010 00 6e 75 f0 00 00 1d 11 a0 8d 0a 18 36 0a 0a 18 .nu.........6... 0020 3c c8 86 6a 02 02 00 5a a4 06 3c 31 31 3e 4a 75 <..j...Z..<11>Ju 0030 6e 20 31 33 20 31 34 3a 32 37 3a 35 30 20 4d 65 n 13 14:27:50 Me 0040 73 73 61 67 65 20 66 6f 72 77 61 72 64 65 64 20 ssage forwarded 0050 66 72 6f 6d 20 61 64 64 61 3a 20 74 65 73 74 69 from adda: testi 0060 6e 67 20 3a 20 54 65 73 74 69 6e 67 20 5e 3f 67 ng : Testing ^?g 0070 67 67 67 67 67 67 67 67 67 67 67 20 ggggggggggg
As you can see the hostname is there, just not alone. What goes on to this packet with the bad_hostname() option turned on as opposed to off.
What did you actually put into bad_hostname()? -- Nate God does not play dice. -- Einstein _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html This e-mail contains Omaha Public Power District's confidential and proprietary information and is for use only by the intended recipient. Unless explicitly stated otherwise, this e-mail is not a contract offer, amendment, nor acceptance. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
participants (3)
-
Evan Rempel
-
Nate Campi
-
SOLIS, ALEX