[syslog-ng] Strange behaviour, Cisco, UDP & $HOST

Mon Aug 1 14:11:11 CEST 2005

On Mon, 2005-08-01 at 12:06 +0300, Jussi Tawaststjerna wrote:
> Hello,
> 
> Did a quick glance on the archives but didn't find an answer to this one, 
> spent a good time googling too. Hopefully someone can help.
> 
> I'm trying to build a central loghost with syslog-ng 1.9.5, for use with 
> linux servers and cisco routers, and ran into a nice li'l problem.
> 
> First some configuration:
> --8<--
> options {
> chain_hostnames(no);
> long_hostnames(on);
> sync(0);
> keep_hostname(yes);
> dns_cache(yes);
> use_fqdn(yes);
> use_dns(yes);
> log_fifo_size(2048);
> log_msg_size(8192);
> };
> 
> source local { unix-stream("/dev/log"); internal(); };
> 
> source network { udp(ip("x.x.x.x") port(514)); };
> (x.x.x.x is the interface machines are configured to use)
> 
> destination hosts { file("/var/log/$HOST/$FACILITY" owner(root) group(root) 
> perm(0600) dir_perm(0700) create_dirs(yes)); };
> 
> ..
> .
> 
> log { source(network); destination(hosts); };
> 
> --8<--
> 
> It "works". I have two machines set up to send logs to this host, my own 
> machine domain.org and a cisco device ciscorouter.net.
> 
> When I do something on my machine to generate log, directory 
> /var/log/domain.org is created and files appear in it, by facility. Sweet. 
> domain.org resolves into an IP and the IP PTR is domain.org ..
> 
> ciscorouter.net resolves into IP and IP PTR is ciscorouter.net .. OKAY, 
> heart of the problem:
> 
> Now I go to a Cisco device (7200 series) which is configured to send local3 
> to loghost, is working already with another sysklogd-host. I issue "conf t", 
> ctrl-z and "wri", and the router sends a line to loghost, and loghost should 
> create /var/log/<routers fqdn> and a file named local3 inside, right?
> 
> Nope.
> 
> The directory does not appear. No logfile is created or appended anywhere 
> within loghost.
> 
> Then I go to domain.org, exit from su and su back in again (generate a line 
> of log) .. Now I see a new file on loghost, /var/log/domain.org/local3 .. 
> and on one single line with no CR/LF it reads:
> 
> Aug  1 11:23:53 domain.org/domain.org 915: *Aug  1 10:17:16.613: 
> %SYS-5-CONFIG_I: Configured from console by user on vty0 
> (x.x.x.x)<86>su[2896]: + pts/23 user:root
> 
> For the people not familiar with Cisco log entries, everything before <86> 
> came from the Cisco, and starting from "su" is my domain.org linux.
> 
> domain.org doesn't log anything using local3, this file shouldn't even 
> exist.
> 
> Can someone please immediately see what's wrong here, and what to put in 
> syslog-ng.conf?

There was a similar problem I've just fixed in the 1.9.x branch during
the weekend. Could you try a newer snapshot?

(or if this is deemed a hard production environment, stick to 1.6.x)

-- 
Bazsi