[syslog-ng]Losing Original Information from Forwarded syslog Messages

John A. Parker jap54@cornell.edu
Mon, 11 Sep 2000 10:10:00 -0400 

--=====================_434650793==_.ALT
Content-Type: text/plain; charset="us-ascii"; format=flowed

We are using syslog-ng on an AIX system as the collection point for a large 
network of IBM, Sun, and "communication device" systems. In addition to 
logging the received messages, syslog-ng forwards all messages on to named 
pipes which are monitored by a daemon whose task it is to "real-time" watch 
for "configurable" activity. (e.g.: "connection refused" messages from a 
single external system occurring on multiple of our systems, etc.) All of 
this is working just fine.

We have one Sun server which acts as the focus for message from our CISCO 
routers. That server forwards its messages on to our central syslog-ng 
server. We now want to watch for failure condition messages from those 
communication devices, making use of the daemon already in place. What 
we're faced with though is the stripping of the original source detail when 
the Sun box's syslogd forwards the message.

As example of what we're facing, please see below the source substitution 
performed by syslogd on the forward.

     The original message (obviously with a bogus hostname) as logged on 
the Sun server is:

     Sep 11 09:42:01 dddd.ddd.ddd.ddd 2939: Sep 11 09:41:59 EDT: 
%LINK-4-ERROR: FastEthernet0/7 is experiencing errors

     While that received by syslog-ng in the AIX system is:

     Sep 11 09:40:57 ssss.sss.sss.sss 2939: Sep 11 09:41:59 EDT: 
%LINK-4-ERROR: FastEthernet0/7 is experiencing errors


My question is this: Is there a way to configure syslogd or syslog-ng so 
that the entire original message is forwarded?

Thanks in advance!

John

---

John A. Parker        Senior Programmer/Analyst - AIX      Cornell University
jap54@cornell.edu   607-255-9356  607-255-8521 (Fax) 
--=====================_434650793==_.ALT
Content-Type: text/html; charset="us-ascii"

We are using syslog-ng on an AIX system as the collection point for a
large network of IBM, Sun, and "communication device" systems.
In addition to logging the received messages, syslog-ng forwards
all messages on to named pipes which are monitored by a daemon
whose task it is to "real-time" watch for
"configurable" activity. (e.g.: "connection refused"
messages from a single external system occurring on multiple of our
systems, etc.) All of this is working just fine.



We have one Sun server which acts as the focus for message from our CISCO
routers. That server forwards its messages on to our central syslog-ng
server. We now want to watch for failure condition messages from those
communication devices, making use of the daemon already in place. What
we're faced with though is the stripping of the original source detail
when the Sun box's syslogd forwards the message. 



As example of what we're facing, please see below the source substitution
performed by syslogd on the forward.



    The original message (obviously with a bogus hostname)
as logged on the Sun server is:



    Sep 11 09:42:01 dddd.ddd.ddd.ddd 2939: Sep 11 09:41:59
EDT: %LINK-4-ERROR: FastEthernet0/7 is experiencing errors



    While that received by syslog-ng in the AIX system
is:



    Sep 11 09:40:57 ssss.sss.sss.sss 2939: Sep 11 09:41:59
EDT: %LINK-4-ERROR: FastEthernet0/7 is experiencing errors





My question is this: Is there a way to configure syslogd or syslog-ng so
that the entire original message is forwarded?



Thanks in advance!



John




---




John A. Parker        Senior
Programmer/Analyst - AIX      Cornell
University

jap54@cornell.edu   607-255-9356  607-255-8521 (Fax)

--=====================_434650793==_.ALT--