[syslog-ng]Odd problem

Hamilton, Andrew Mr. HamiltonA@hq.5sigcmd.army.mil
Fri, 17 Nov 2000 11:27:17 +0100


I wish I could retract this since the solution was simple.  But since I
posted it I guess I should at least qualify this.  This turned out to be not
a problem with the syslog at all.  It was a problem with the person looking
at the logs who claimed there was a problem and at first glance I thought it
was a problem.  After doing more digging I found that the routers actually
send the their log messages exactly as they appear in the log file.  The
three letter region specification on the front turns out to be an alias that
the network analysts were using.  Since I mostly do internal logging I
didn't have use_fqdn turned on and the only thing they were seeing was the
hostname, gw1, ts1, etc.  This is insufficient since we have over 1100
routers to maintain.  There are many gw1's and gw2's, etc.  As soon as I
turned on use_fqdn and started getting the domain name added on, which is
sufficient to identify the source, all is great from my perspective.  

Thanks for your time and sorry to bother everyone.

Drew

> -----Original Message-----
> From:	Hamilton, Andrew Mr. [SMTP:HamiltonA@hq.5sigcmd.army.mil]
> Sent:	Wednesday, November 15, 2000 3:06 PM
> To:	'syslog-ng@lists.balabit.hu'
> Subject:	[syslog-ng]Odd problem
> 
> I am getting something very strange in my syslogs.  This doesn't happen
> for
> every host but it appears that most of the hostnames are getting the front
> truncated.  Here is a sample of the logfile and my config file.  I am
> running syslog-ng 1.4.7.
> 
> Nov 15 13:57:03 gw1.hanau.army.mil 172593: Nov 15 13:57:18:
> %SEC-6-IPACCESSLOGP: list 196 permitted tcp 140.156.30.6(48879) ->
> 192.73.27.115(33658), 725 packets
> Nov 15 13:57:03 gw7.mannheim.army.mil 93065: Nov 15 13:57:18:
> %LANCE-5-LATECOLL: Unit 0, late collision error
> Nov 15 13:57:03 bggw.heidelberg.army.mil 3078332: Nov 15 13:57:18:
> %SEC-6-IPACCESSLOGP: list 191 denied tcp 64.4.16.24(80) ->
> 147.37.199.194(1509), 1 packet
> Nov 15 13:57:03 bggw.ansbach.army.mil 437279: Nov 15 13:57:18:
> %SEC-6-IPACCESSLOGP: list 193 denied udp 136.218.199.6(1704) ->
> 169.254.102.246(1112), 1 packet
> Nov 15 13:57:03 BGGW-ETHER0-1.STUTTGART.ARMY.MIL 1236689: 6w6d:
> %SEC-6-IPACCESSLOGP: list 192 permitted tcp 199.211.200.34(1488) ->
> 136.221.21.11(80), 6 packets
> 
> The hostname should have hnu-gw1.hanau.army.mil in the first one and
> likewise for the rest.  There is some 3 letter representation of the
> region
> on the front of the hostname.  Here is my config, partly anyway.
> 
> options { long_hostnames(yes); use_fqdn(yes); chain_hostnames(no);
> sync(0);
> keep_hostname(yes); create_dirs(yes); };
> source src { sun-streams("/dev/log" door("/etc/.syslog_door"));
> internal();
> udp(); };
> 
> destination d_cisco { file("/logs/cisco/ciscologs"); };
> 
> destination d_reno   { udp("host.mydomain.mil"); };
> 
> filter f_cisco { facility(local7) };
> 
> log { source(src); filter(f_cisco); destination(d_cisco);
> destination(d_host); };
> 
> Seems to actually function fine but is truncating the front part.
> 
> Any ideas?
> 
> Regards,
> Drew
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng