[syslog-ng] rhost field

ken.schweiker at faa.gov ken.schweiker at faa.gov
Wed Dec 28 22:48:42 CET 2005 




My new configuration now looks like this.....from the faq...

source src { internal(); unix-dgram("/dev/log");
unix-dgram("/var/lib/ntp/dev/log");  };

source rmt_udp { udp(ip("0.0.0.0") port(514)); };

destination hosts {

file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/$FACILITY$YEAR$MONTH$DAY"
                         owner(root) group(root) perm(0600) dir_perm(0700)
create_dirs(yes));
                          };

log { source(rmt_udp); destination(hosts);  };
**********************************************************************************************************************************************************
There are other statements, filters (from the sample conf.) etc., but I
think these are the pertinent ones. Now I have two machines pointing to my
syslog-ng server. In the
"suselog:/var/log/HOSTS/suselog/2005/12/28/auth20051228" file, the below
forwarded messages are intermixed from two different servers.

Dec 28 21:37:23 suselog su(pam_unix)[1532]: authentication failure;
logname=syss55h uid=500 euid=0 tty=pts/4 ruser=syss55h rhost=  user=root
Dec 28 21:37:23 suselog su(pam_unix)[1532]: authentication failure;
logname=syss55h uid=500 euid=0 tty=pts/4 ruser=syss55h rhost=  user=root
Dec 28 21:37:53 suselog sshd(pam_unix)[14395]: session opened for user root
by (uid=0)
Dec 28 21:38:18 suselog su(pam_unix)[14447]: session opened for user
syss55h by root(uid=0)
Dec 28 21:38:26 suselog su(pam_unix)[14490]: authentication failure;
logname=root uid=500 euid=0 tty= ruser=syss55h rhost=  user=root

the messages at 21:37:23 are from one server and the rest are from another.
If nothing else comes up I will upgrade one of the sending machines to
syslog-ng and see what happens. p.s. these machines are not known by DNS.



On Wed, Dec 28, 2005 at 03:45:30PM -0500, ken.schweiker at faa.gov wrote:
>
> Thanks. Meanwhile I finally read the bottom of these responses and went
to
> www.campin.net/syslog-ng/faq.html. It was very helpful!
>
> It explained the header problem I think .....
> Many syslog programs, when configured to relay messages on to another
> syslog program on another host, will leave out certain parts of the
syslog
> message - complicating proper identification of certain fields.
> ....and......
> The sysklogd program used as a syslog server for many Linux distributions
> also leaves out fields. It leaves out the time/date information and the
> hostname information (the entire "header").
>
> So it sounds like I'll have to install syslog-ng on all the downstream
> servers also. Thanks.

I'm glad you read that, but it might not really be clear enough on how
syslog-ng behaves in this situation.

What happens is that syslog-ng puts in a hostname based on the remote IP
or DNS name, and also uses the chained hostname format if configured to
do so. Don't bother putting syslog-ng everywhere just for that reason.

Let me know if this clears things up.
--
Nate

"The more I C, the less I see."

_______________________________________________
syslog-ng maillist  -  syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

More information about the syslog-ng mailing list