re-writing hostnames before sending over TCP
I am tryin to configure a semi-secure syslog setup. The primary program that will be logging to it is java via log4j. log4j apparently cannot log to a socket with syslog(as far as I can tell?) only to a udp source, so I configured syslog-ng to bind to 127.0.0.1 on port 514 tcp/udp and it recives the messages fine but the 'host' that is being logged is localhost. I can re-write the log entries using a template for local files but I can't seem to get it workin for sending to a remote syslog server. No matter what options I use it always ends up either localhost or 127.0.0.1 for the hostname. One thing I haven't tried is setting up a filter on the remote server using the host() option but I don't think it would work because the host there would be localhost too not the host of the server sending the message ? is there a way to get syslog-ng to ignore the hostname that's in the message itself and use the hostname/ip of the system that is actually sending the message? or is there another way to accomplish this while keeping syslog-ng bound to the loopback interface? on the local server I also have syslog-ng logging everything to a file, and without using the template all log entries from log4j also appear as being from the host 'localhost'. I suppose I could have log4j log directly to the remote server but rather would use the local one as a buffer incase there is a network problem or something. using ssyslog-ng 1.5.26(on both systems). If I need to upgrade I could .. thanks! nate
Quote nate <syslog-ng@aphroland.org>: | | I am tryin to configure a semi-secure syslog setup. The primary | program that will be logging to it is java via log4j. log4j apparently | cannot log to a socket with syslog(as far as I can tell?) only to | a udp source, so I configured syslog-ng to bind to 127.0.0.1 on | port 514 tcp/udp and it recives the messages fine but the 'host' | that is being logged is localhost. I can re-write the log entries | using a template for local files but I can't seem to get it workin | for sending to a remote syslog server. No matter what options I | use it always ends up either localhost or 127.0.0.1 for the hostname. | One thing I haven't tried is setting up a filter on the remote server | using the host() option but I don't think it would work because the | host there would be localhost too not the host of the server sending | the message ? As far as I know, log4j doesn't provide a hostname in the messages it sends (that is, except if you change the conversion pattern of the log4j syslog appender). I believe that syslog-ng, when no hostname is provided in the message itself, creates a hostname by re(ver)solving the IP. Perhaps 127.0.0.1 (source IP of the message) is just resolving back to plain 'localhost' and this is what your syslog-ng logs. In this case you could just tweak your /etc/hosts to make 127.0.0.1 resolve back to the hostname you want instead of localhost. Otherwise, you may try to adapt the conversion pattern of the log4j syslog appender to include the hostname, but you may end up in a situation where you have to make some java code to generate the conversion pattern (there is no %"something" that gives the hostname...). -Thomas
Thomas Morin said:
I believe that syslog-ng, when no hostname is provided in the message itself, creates a hostname by re(ver)solving the IP. Perhaps 127.0.0.1 (source IP of the message) is just resolving back to plain 'localhost' and this is what your syslog-ng logs. In this case you could just tweak your /etc/hosts to make 127.0.0.1 resolve back to the hostname you want instead of localhost.
Otherwise, you may try to adapt the conversion pattern of the log4j syslog appender to include the hostname, but you may end up in a situation where you have to make some java code to generate the conversion pattern (there is no %"something" that gives the hostname...).
thanks! yep that seemed to work(changing /etc/hosts), I thought about it yesterday but didn't try it..but it looks like the log4j stuff isn't good enough, it's not obeying the configuration 100% which makes it very difficult to filter(I set it to log to facility local6 but a buncha stuff still comes through using the facility user, also I am having it preappend some text for filtering further, but that preappend doesn't occur on all entries), so looks like I won't be able to use syslog for log4j. was worth a shot at least, had high hopes! thanks again for the quick response nate
Quote nate <syslog-ng@aphroland.org>: | | thanks! yep that seemed to work(changing /etc/hosts), I thought about it | yesterday but didn't try it..but it looks like the log4j stuff isn't good | enough, it's not obeying the configuration 100% which makes it very | difficult | to filter(I set it to log to facility local6 but a buncha stuff still | comes | through using the facility user, also I am having it preappend some text | for filtering further, but that preappend doesn't occur on all entries), | so looks like I won't be able to use syslog for log4j. was worth a shot | at least, had high hopes! thanks again for the quick response Well, what happens is that log4j uses the conversion pattern for the main part of a message, but doesn't use it for appending the information related to a throwable (java exception) given with the log message. I guess that this is what is happening to you. Where I work, we have adapted the SyslogAppender (inheriting from it, with an adapted append method, that adds a NULL chars in the end of the messages (to work around a bug in syslog-ng)); you could very well adapt it also to preprend something to the messages. -Thomas
participants (2)
-
nate
-
Thomas Morin