[syslog-ng] Losing TAG information

Nate Campi nate at campin.net
Thu Jun 22 02:55:09 CEST 2006 

Are you running syslog-ng on the AIX host as well? I think you probably
aren't. SRV4-type boxes leave out the hostname when sending syslogs over
the wire, but leave the rest of the header intact:

 http://www.campin.net/syslog-ng/syslog.html#missing_parts

This is highly confusing behavior, especially when there are spaces in
the program name. This is why I requested and Bazsi created the
"bad_hostname()" option. Either put syslog-ng on the AIX boxes or use
bad_hostname() on your syslog-ng loghost.

On Mon, Jun 19, 2006 at 09:21:05AM -0500, SOLIS, ALEX wrote:
> 
> I appreciate your sympathy but it does not help me with my TAG problem.
> :)
> 
> Anyone else have any idea how to stop syslog-ng from purging the TAG
> information from an AIX syslogd message.  I have successfully sniffed
> syslog traffic between the AIX servers and my LOGHOST.  The TAG (Process
> Name info) is definitely intact on the wire.  This confirms that
> syslog-ng is simply parsing the log message and removing the TAG info.
> 
> I did some more tests on the Linux LOGHOST using the logger utility and
> I found that syslog-ng does not like spaces after the TAG information.
> For example:
> 
> 1)	   Logger -p syslog.info -t "TEST_TAG" "TEST_MESSAGE"
> 	
> 	Generates the log:
> 
> 	   Jun 19 08:42:38 loghost TEST_TAG: TEST_MESSAGE
> 
> 	
> 2)	   Logger -p syslog.info -t "TEST_TAG " "TEST_MESSAGE"
> 
> 	Generates the log:
> 
> 	    Jun 19 08:44:08 loghost : TEST_MESSAGE
> 
> Example two lost the TAG information because of the space after
> TEST_TAG.  I have considered the possibility that the messages being
> sent from the AIX box do not conform to syslog formatting standards and
> therefore syslog-ng discards the field.  But I would like to know if
> there is anything that can be done to stop this behavior. 
> 
> Thanks for all responses, even sympathetic ones. :)
> 
> Alex
> 	
> 
> -----Original Message-----
> From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu] 
> Sent: Tuesday, June 13, 2006 9:09 PM
> To: SOLIS, ALEX
> Subject: Re: [syslog-ng] Losing TAG information
> 
> On Tue, 13 Jun 2006 10:07:33 CDT, "SOLIS, ALEX" said:
> 
>  (off-list reply)
> 
> > I have about 20 or so AIX 4.3 servers that are sending syslog messages
> > to a Linux desktop running syslog-ng 1.6.5. 
> 
> You have my condolences.  IBM dropped support for even AIX 4.3.3 several
> years ago - hopefully you're not having problems keeping the software
> running and secure...
> -----Original Message-----
> From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu] 
> Sent: Tuesday, June 13, 2006 9:09 PM
> To: SOLIS, ALEX
> Subject: Re: [syslog-ng] Losing TAG information
> 
> On Tue, 13 Jun 2006 10:07:33 CDT, "SOLIS, ALEX" said:
> 
>  (off-list reply)
> 
> > I have about 20 or so AIX 4.3 servers that are sending syslog messages
> > to a Linux desktop running syslog-ng 1.6.5. 
> 
> You have my condolences.  IBM dropped support for even AIX 4.3.3 several
> years ago - hopefully you're not having problems keeping the software
> running and secure...
> 

-- 
Nate

I wonder why no company starts his manual with the words `We thank you
for buying this piece of junk. We have done our best to make this junk
as annoying as possible, and we assure that it will give you a
headache for the next two months. However, if you feel satisfied with
it, we will contact you for an expensive replacement.'

More information about the syslog-ng mailing list