[syslog-ng](no subject)(solaris hostnames wrongly discovered)

Thu, 2 Jan 2003 03:11:42 -0500 (EST)

--EXCITEBOUNDARY_000__6636053c0f663d9447ce4d5825947ca9
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

 Here's the solution:
There's a parameter you can set in the configuration of the logserver itslef:

keep_hostname()

it should be set to: "NO"

Some info about it:
In order to understand things better, i sniffed the syslog network traffic, to see what i can learn about the problem.
The main differences between syslog-ng and Solaris native syslog are:
1. It seems that syslog-ng terminates a single line of data with "\n" Like Balazs said).
Native Solaris syslog terminates the line with nothing.
2. Syslog-ng adds in the beginning of the data line, the hostname which originated the log.
Solaris' native doesn't do that, and counts on the log-server to reverse-resolve the originating IP, and get the host name.

Now (and this is only my assumption, i haven't got into syslog-ng sources), when there's an host which sends two seperate packets of syslog data, which follows each other instantly, syslog-ng reverse resolve the first packet, and gets the hostname correctly.
After that, it's supposed to cache the hostname from the earlier packet (according to the default value of keep_hostname(yes) ), and according to that to know the 2nd packet originating host.
But, something goes wrong. Instead, syslog-ng tries to run some regexp or something of the kind of the data packet itself, and because there's no hostname written in the data, it finds some other word and decides that "THIS IS THE HOSTNAME!!!" (weepee!).

setting "keep_hostname(no)" as I suggested overcomes this bug. (Or some other bug. The last paragraph is only my assumption what's going on inthere)

Have a pleasent new year,
Noam

 --- On Tue 12/31, Balazs Scheidler  wrote:From: Balazs Scheidler [mailto: bazsi@balabit.hu]To: syslog-ng@lists.balabit.huDate: Tue, 31 Dec 2002 09:07:46 +0100Subject: Re: [syslog-ng](no subject)On Mon, Dec 30, 2002 at 05:32:09PM -0500, Noam Meltzer wrote:> > I did a little experiment and tried sending logs from one native solaris syslog to another. It worked just fine (except the fact i can't  into hostnames...)> I looked at the big  log "/var/adm/messages" (of two hosts) and saw that the "bad" logs, were logged by  the native logger just fine, with stating the originating host as it should be in the beginning of the line.> > I tried simulating this  using the command "logger" with no sucess.> > I suspect that   sends the data of each  packet, not  to lines as> syslog-ng expects and this cause its mechanism to fail recognizing the> originating host succesfully.> > Did any1 encountered this problem? How did you solve it? syslog-ng terminates messages at '\n' even in UDP packets unless you areusing a recent version of syslog-ng.-- BazsiPGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1_______________________________________________syslog-ng maillist  -  syslog-ng@lists.balabit.huhttps://lists.balabit.hu/mailman/listinfo/syslog-ngFrequently asked questions at http://www.campin.net/syslog-ng/faq.html

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!

--EXCITEBOUNDARY_000__6636053c0f663d9447ce4d5825947ca9
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit

 Here's the solution:
There's a parameter you can set in the configuration of the logserver itslef:

keep_hostname()

it should be set to: "NO"

Some info about it:
In order to understand things better, i sniffed the syslog network traffic, to see what i can learn about the problem.
The main differences between syslog-ng and Solaris native syslog are:
1. It seems that syslog-ng terminates a single line of data with "\n" Like Balazs said).
Native Solaris syslog terminates the line with nothing.
2. Syslog-ng adds in the beginning of the data line, the hostname which originated the log.
Solaris' native doesn't do that, and counts on the log-server to reverse-resolve the originating IP, and get the host name.

Now (and this is only my assumption, i haven't got into syslog-ng sources), when there's an host which sends two seperate packets of syslog data, which follows each other instantly, syslog-ng reverse resolve the first packet, and gets the hostname correctly.
After that, it's supposed to cache the hostname from the earlier packet (according to the default value of keep_hostname(yes) ), and according to that to know the 2nd packet originating host.
But, something goes wrong. Instead, syslog-ng tries to run some regexp or something of the kind of the data packet itself, and because there's no hostname written in the data, it finds some other word and decides that "THIS IS THE HOSTNAME!!!" (weepee!).

setting "keep_hostname(no)" as I suggested overcomes this bug. (Or some other bug. The last paragraph is only my assumption what's going on inthere)

Have a pleasent new year,
Noam

--- On Tue 12/31, Balazs Scheidler < bazsi@balabit.hu > wrote: From: Balazs Scheidler [mailto: bazsi@balabit.hu] To: syslog-ng@lists.balabit.hu Date: Tue, 31 Dec 2002 09:07:46 +0100 Subject: Re: [syslog-ng](no subject) On Mon, Dec 30, 2002 at 05:32:09PM -0500, Noam Meltzer wrote: > > I did a little experiment and tried sending logs from one native solaris syslog to another. It worked just fine (except the fact i can't into hostnames...) > I looked at the big log "/var/adm/messages" (of two hosts) and saw that the "bad" logs, were logged by the native logger just fine, with stating the originating host as it should be in the beginning of the line. > > I tried simulating this using the command "logger" with no sucess. > > I suspect that sends the data of each packet, not to lines as > syslog-ng expects and this cause its mechanism to fail recognizing the > originating host succesfully. > > Did any1 encountered this problem? How did you solve it? syslog-ng terminates messages at '\n' even in UDP packets unless you are using a recent version of syslog-ng. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html <hr>Join Excite! - <a href=http://www.excite.com target=_blank>http://www.excite.com</a> The most personalized portal on the Web!

--EXCITEBOUNDARY_000__6636053c0f663d9447ce4d5825947ca9--