[syslog-ng]UDP messages logged with localhost

Bobby Johnson syslog-ng@lists.balabit.hu
Fri, 21 May 2004 11:04:43 -0600


The time difference could be the hardware clock or local system.  Is either syslog chrooted?  I had this problem with apache.  I needed to put something into the chrooted dir.  Some libraries or the date command?  I don't remember.

Bobby


On Thu, 20 May 2004 21:40:24 -0400
"Steven S." <ssurdock@engineered-net.com> wrote:

> OK, so let's try one problem at time;-)
> 
> When logging udp message the "host" tag is being listed as local host and
> the time is incorrect.  Here is a sample of two different syslog runs.  One
> with syslog-ng 1.6.4 and one with the native OpenBSD 3.5 syslogd.  The host
> "logger01" is the name of the localhost, not a reverse of 172.16.10.20.
> Also these runs were taken seconds apart yet the timestamps are 11 hours
> apart.
> 
> Any insight would be appreciated.
> 
> ...running syslog-ng 
> May 19 00:35:29 logger01 %PIX-4-106023: Deny udp src outside:4.4.6.15/57112
> dst inside:10.1.2.16/514 by access-group "outside_access_in" 
> May 19 00:36:29 logger01 %PIX-4-106023: Deny udp src outside:4.4.6.15/57112
> dst inside:10.1.2.16/514 by access-group "outside_access_in"         
> 
> ...running syslogd on OpenBSD 3.5-stable/sparc64
> May 19 11:36:53 172.16.10.20 May 19 2004 00:33:29: %PIX-4-106023: Deny udp
> src outside:4.4.6.15/57112 dst inside:10.1.2.16/514 by access-group "outside
> _access_in" 
> May 19 11:37:02 172.16.10.20 May 19 2004 00:33:39: %PIX-4-106023: Deny udp
> src outside:210.12.158.85/1243 dst inside:10.1.2.15/1434 by access-group
> "outside_access_in" 
> 
> # syslog-ng configuration file.
> #
> # See syslog-ng(8) and syslog-ng.conf(5) for more information.
> #
> # 20000925 gb@sysfive.com
> 
> options { sync (0);
>           time_reopen (10);
>           log_fifo_size (1000);
>           keep_hostname (yes);
>           long_hostnames (off);
>           use_dns (no);
>           use_fqdn (no);
>           create_dirs (no);
>           keep_hostname (yes);
>         };
> 
> source s_sys { unix-dgram ("/dev/log"); internal(); file ("/dev/klog"); };
> source s_udp { udp (); };
> 
> destination d_cons   { file("/dev/console"); };
> destination d_mesg   { file("/var/log/messages"); };
> destination d_auth   { file("/var/log/authlog"); };
> destination d_authp  { file("/var/log/secure"); };
> destination d_cron   { file("/var/cron/log"); };
> destination d_daem   { file("/var/log/daemon"); };
> destination d_ftp    { file("/var/log/xferlog"); };
> destination d_lpr    { file("/var/log/lpd-errs"); };
> destination d_mail   { file("/var/log/maillog"); };
> destination d_spol   { file("/var/log/uucp"); };
> destination d_mlal   { usertty("*"); };
> destination d_root   { usertty("root"); };
> destination d_trap   { file("/var/log/snmptraps"); };
> destination d_cisco { file("/var/log/cisco"); };
> destination d_catchudp    { file("/var/log/systems/catchudp.log"); };
> destination d_catchsys    { file("/var/log/catchsys.log"); };
> 
> filter f_kern      { facility(kern); };
> filter f_mesg      { level(info..emerg) and not
>                         facility(mail, auth, authpriv, ftp, lpr,local0,
> local7)and not
>                         filter(f_croner) and not
>                         facility(daemon) and level(info); };
> filter f_auth      { facility(auth); };
> filter f_authp     { facility(authpriv); };
> filter f_cron      { facility(cron); };
> filter f_mail      { facility(mail); };
> filter f_daem      { facility(daemon); };
> filter f_ftp       { facility(ftp); };
> filter f_lpr       { facility(lpr); };
> filter f_mail      { facility(mail); };
> filter f_emerg     { level(emerg); };
> filter f_spol      { facility(uucp) or
>                         (facility(news) and
>                         level(crit)); };
> filter f_trap      { facility(local0); };
> filter f_cisco     { facility(local7); };
> filter f_swatch    { level(info..emerg); };
> 
> #log { source(s_sys); filter(f_kern);  destination(d_cons); };
> log { source(s_sys); filter(f_kern);   destination(d_mesg); };
> log { source(s_sys); filter(f_mesg);   destination(d_mesg); };
> log { source(s_sys); filter(f_auth);   destination(d_auth); };
> log { source(s_sys); filter(f_mail);   destination(d_mail); };
> log { source(s_sys); filter(f_emerg);  destination(d_mlal); };
> log { source(s_sys); filter(f_spol);   destination(d_spol); };
> log { source(s_sys); filter(f_cron);   destination(d_cron); };
> log { source(s_sys); filter(f_trap);   destination(d_trap); };
> log { source(s_udp); filter(f_cisco);  destination(d_cisco); };
> log { source(s_sys); filter(f_swatch); destination(d_catchsys); };
> 
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 
>