[syslog-ng]Losing Original Information from Forwarded syslog Messages

Balazs Scheidler bazsi@balabit.hu
Tue, 12 Sep 2000 10:47:40 +0200


On Mon, Sep 11, 2000 at 10:10:00AM -0400, John A. Parker wrote:
> We are using syslog-ng on an AIX system as the collection point for a large 
> network of IBM, Sun, and "communication device" systems. In addition to 
> logging the received messages, syslog-ng forwards all messages on to named 
> pipes which are monitored by a daemon whose task it is to "real-time" watch 
> for "configurable" activity. (e.g.: "connection refused" messages from a 
> single external system occurring on multiple of our systems, etc.) All of 
> this is working just fine.
> 
> We have one Sun server which acts as the focus for message from our CISCO 
> routers. That server forwards its messages on to our central syslog-ng 
> server. We now want to watch for failure condition messages from those 
> communication devices, making use of the daemon already in place. What 
> we're faced with though is the stripping of the original source detail when 
> the Sun box's syslogd forwards the message.
> 
> As example of what we're facing, please see below the source substitution 
> performed by syslogd on the forward.
> 
>      The original message (obviously with a bogus hostname) as logged on 
> the Sun server is:
> 
>      Sep 11 09:42:01 dddd.ddd.ddd.ddd 2939: Sep 11 09:41:59 EDT: 
> %LINK-4-ERROR: FastEthernet0/7 is experiencing errors
> 
>      While that received by syslog-ng in the AIX system is:
> 
>      Sep 11 09:40:57 ssss.sss.sss.sss 2939: Sep 11 09:41:59 EDT: 
> %LINK-4-ERROR: FastEthernet0/7 is experiencing errors
> 
> 
> My question is this: Is there a way to configure syslogd or syslog-ng so 
> that the entire original message is forwarded?

enable the chain_hostnames option in syslog-ng. it'll change the log format,
but information is not lost. alternatively you could use the keep_hostname()
option, in which case hostnames are not touched by syslog-ng.

options { keep_hostname(yes); };

or 

options { chain_hostnames(yes); };

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
     url: http://www.balabit.hu/pgpkey.txt