[syslog-ng]Hostname determination and AIX

John_Delisle@ceridian.ca John_Delisle@ceridian.ca
Wed, 21 Mar 2001 16:28:38 -0600


I've run into the same irritating problem with IBM's non-standard syslogd.
If anyone has any ideas, please forward them to me also.

John Delisle
Corporate Technology
Ceridian Canada Ltd
204-975-5909


                                                                                                                            
                    Jon Marks                                                                                               
                    <j-marks@uiuc.edu>            To:     syslog-ng@lists.balabit.hu                                        
                    Sent by:                      cc:                                                                       
                    syslog-ng-admin@lists.        Subject:     [syslog-ng]Hostname determination and AIX                    
                    balabit.hu                                                                                              
                                                                                                                            
                                                                                                                            
                    2001/03/21 03:44 PM                                                                                     
                    Please respond to                                                                                       
                    syslog-ng                                                                                               
                                                                                                                            
                                                                                                                            




Hello,

I saw this issue arose previously in the mailing list, but I'm not sure
what the resolution was.

I'm running syslog-ng 1.4.11 on AIX 4.3.3. This machine is meant
to be a loghost for a number of different kinds of systems including
other AIX boxes. I'd like to organize messages into a directory
structure on a per-host basis (a typical syslog-ng use, I assume).
The trouble is that the hostname is improperly interpreted upon receipt
of messages from other AIX machines. Thus, strange output files appear.
The following is a sample of my syslog-ng.conf:

######################################################################
source s_ccso {
        unix-dgram("/dev/log");
        udp(ip(0.0.0.0) port(514));
        internal();
};

destination d_psg_connections {
        file("/services/syslog/systems/$HOST/connections-$YEAR$MONTH$DAY"
             owner(psg) group(psg) perm(0600) dir_perm(0755)
create_dirs(yes));
};

filter f_psg_connections {
        facility(local3) and level(info);
};


log { source(s_ccso); filter(f_psg_connections);
           destination(d_psg_connections);
};
######################################################################

Using a test program, I generate a bunch of messages on a remote AIX
client host that end up looking like this (at LOCAL3.INFO) in the
*remote client* log:

Mar 21 15:06:44 vader TEST[4234]: (0) TEST MESSAGE (0)
Mar 21 15:06:44 vader TEST[4234]: (1) TEST MESSAGE (1)
Mar 21 15:06:44 vader TEST[4234]: (2) TEST MESSAGE (2)
Mar 21 15:06:44 vader TEST[4234]: (3) TEST MESSAGE (3)
Mar 21 15:06:44 vader TEST[4234]: (4) TEST MESSAGE (4)
Mar 21 15:06:44 vader TEST[4234]: (5) TEST MESSAGE (5)
Mar 21 15:06:44 vader TEST[4234]: (6) TEST MESSAGE (6)
Mar 21 15:06:44 vader TEST[4234]: (7) TEST MESSAGE (7)
Mar 21 15:06:44 vader TEST[4234]: (8) TEST MESSAGE (8)
Mar 21 15:06:44 vader TEST[4234]: (9) TEST MESSAGE (9)
Mar 21 15:06:44 vader TEST[4234]: REPS: 10 Time: 0 s 1 ms 886 us

The remote host (vader) sends these to the loghost, as well; but rewrites
them since that's what AIX's syslogd does. They land in the following
location on the loghost:

/services/syslog/systems/From/connections-20010321
                         ^^^^

Note the incorrect hostname. This is what they look like inside that
particular log:

Mar 21 15:06:44 From/vader vader: TEST[4234]: (0) TEST MESSAGE (0)
Mar 21 15:06:44 From/vader vader: TEST[4234]: (1) TEST MESSAGE (1)
Mar 21 15:06:44 From/vader vader: TEST[4234]: (2) TEST MESSAGE (2)
Mar 21 15:06:44 From/vader vader: TEST[4234]: (3) TEST MESSAGE (3)
Mar 21 15:06:44 From/vader vader: TEST[4234]: (4) TEST MESSAGE (4)
Mar 21 15:06:44 From/vader vader: TEST[4234]: (5) TEST MESSAGE (5)
Mar 21 15:06:44 From/vader vader: TEST[4234]: (6) TEST MESSAGE (6)
Mar 21 15:06:44 From/vader vader: TEST[4234]: (7) TEST MESSAGE (7)
Mar 21 15:06:44 From/vader vader: TEST[4234]: (8) TEST MESSAGE (8)
Mar 21 15:06:44 From/vader vader: TEST[4234]: (9) TEST MESSAGE (9)
Mar 21 15:06:44 From/vader vader: TEST[4234]: REPS: 10 Time: 0 s 1 ms 886
us
                ^^^^

Notice how the word "From" squeezes its way into the hostname. This is
what the log would have looked like if done by AIX's native syslogd:

Mar 21 15:19:39 vader From vader: TEST[4248]: (0) TEST MESSAGE (0)
Mar 21 15:19:39 vader From vader: TEST[4248]: (2) TEST MESSAGE (2)
Mar 21 15:19:39 vader From vader: TEST[4248]: (1) TEST MESSAGE (1)
Mar 21 15:19:39 vader From vader: TEST[4248]: (3) TEST MESSAGE (3)
Mar 21 15:19:39 vader From vader: TEST[4248]: (4) TEST MESSAGE (4)
Mar 21 15:19:39 vader From vader: TEST[4248]: (5) TEST MESSAGE (5)
Mar 21 15:19:39 vader From vader: TEST[4248]: (6) TEST MESSAGE (6)
Mar 21 15:19:39 vader From vader: TEST[4248]: (7) TEST MESSAGE (7)
Mar 21 15:19:39 vader From vader: TEST[4248]: (8) TEST MESSAGE (8)
Mar 21 15:19:39 vader From vader: TEST[4248]: (9) TEST MESSAGE (9)
Mar 21 15:19:39 vader From vader: TEST[4248]: REPS: 10 Time: 0 s 1 ms 923
us

So the "From" comes out of what AIX's syslogd sends to the loghost when
it forwards its own messags. This particular format is what you get when
you run AIX's syslogd with the '-s' command-line option; normally it's
even more obnoxious (I learned this on this mailing list). This more
verbose, obnoxious output causes the same problem. I'll use it to make
another quick example of the problem. This is from the same AIX client
running native syslogd without '-s':

On the client (remote host):

Mar 21 15:30:28 vader TEST[4270]: (1) TEST MESSAGE (1)
Mar 21 15:30:28 vader TEST[4270]: (2) TEST MESSAGE (2)

On the loghost (running AIX's syslogd):

Mar 21 15:30:28 vader Message forwarded from vader: TEST[4270]: (0) TEST
MESSAGE (0)
Mar 21 15:30:28 vader Message forwarded from vader: TEST[4270]: (1) TEST
MESSAGE (1)

A similar example, on the loghost running syslog-ng (these are mistakenly
located in /services/syslog/systems/Message/connections-20010321):
                         ^^^^^^^

Mar 21 15:34:33 Message/vader forwarded from vader: TEST[4282]: (0) TEST
MESSAGE (0)
Mar 21 15:34:33 Message/vader forwarded from vader: TEST[4282]: (1) TEST
MESSAGE (1)
                ^^^^^^^

Notice both AIX's obnoxious message prefix string and how syslog-ng handles
it when interpreting the hostname.

This server will be hosting logs for lots of people's machines; I can't
mandate that everybody uses syslog-ng. Some people are going to run AIX
boxes and so I'll have to put up with these kinds of messages. Is there
anything syslog-ng can do? Is this addressed in the development version?
Thanks for your help!

--
Jonathan Marks

Systems Administrator, Production Systems Group
Computing and Communication Services Office
University of Illinois at Urbana-Champaign



_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng