[syslog-ng] Strange behaviour, Cisco, UDP & $HOST

Mon Aug 1 11:06:05 CEST 2005

Hello,

Did a quick glance on the archives but didn't find an answer to this one, 
spent a good time googling too. Hopefully someone can help.

I'm trying to build a central loghost with syslog-ng 1.9.5, for use with 
linux servers and cisco routers, and ran into a nice li'l problem.

First some configuration:
--8<--
options {
chain_hostnames(no);
long_hostnames(on);
sync(0);
keep_hostname(yes);
dns_cache(yes);
use_fqdn(yes);
use_dns(yes);
log_fifo_size(2048);
log_msg_size(8192);
};

source local { unix-stream("/dev/log"); internal(); };

source network { udp(ip("x.x.x.x") port(514)); };
(x.x.x.x is the interface machines are configured to use)

destination hosts { file("/var/log/$HOST/$FACILITY" owner(root) group(root) 
perm(0600) dir_perm(0700) create_dirs(yes)); };

..
..

log { source(network); destination(hosts); };

--8<--

It "works". I have two machines set up to send logs to this host, my own 
machine domain.org and a cisco device ciscorouter.net.

When I do something on my machine to generate log, directory 
/var/log/domain.org is created and files appear in it, by facility. Sweet. 
domain.org resolves into an IP and the IP PTR is domain.org ..

ciscorouter.net resolves into IP and IP PTR is ciscorouter.net .. OKAY, 
heart of the problem:

Now I go to a Cisco device (7200 series) which is configured to send local3 
to loghost, is working already with another sysklogd-host. I issue "conf t", 
ctrl-z and "wri", and the router sends a line to loghost, and loghost should 
create /var/log/<routers fqdn> and a file named local3 inside, right?

Nope.

The directory does not appear. No logfile is created or appended anywhere 
within loghost.

Then I go to domain.org, exit from su and su back in again (generate a line 
of log) .. Now I see a new file on loghost, /var/log/domain.org/local3 .. 
and on one single line with no CR/LF it reads:

Aug  1 11:23:53 domain.org/domain.org 915: *Aug  1 10:17:16.613: 
%SYS-5-CONFIG_I: Configured from console by user on vty0 
(x.x.x.x)<86>su[2896]: + pts/23 user:root

For the people not familiar with Cisco log entries, everything before <86> 
came from the Cisco, and starting from "su" is my domain.org linux.

domain.org doesn't log anything using local3, this file shouldn't even 
exist.

Can someone please immediately see what's wrong here, and what to put in 
syslog-ng.conf?

Thank you very much.

---
Jussi Tawaststjerna
Nebula Oy
---