[syslog-ng] Losing TAG information
Nate Campi
nate at campin.net
Thu Jun 22 02:55:09 CEST 2006
Are you running syslog-ng on the AIX host as well? I think you probably
aren't. SRV4-type boxes leave out the hostname when sending syslogs over
the wire, but leave the rest of the header intact:
http://www.campin.net/syslog-ng/syslog.html#missing_parts
This is highly confusing behavior, especially when there are spaces in
the program name. This is why I requested and Bazsi created the
"bad_hostname()" option. Either put syslog-ng on the AIX boxes or use
bad_hostname() on your syslog-ng loghost.
On Mon, Jun 19, 2006 at 09:21:05AM -0500, SOLIS, ALEX wrote:
>
> I appreciate your sympathy but it does not help me with my TAG problem.
> :)
>
> Anyone else have any idea how to stop syslog-ng from purging the TAG
> information from an AIX syslogd message. I have successfully sniffed
> syslog traffic between the AIX servers and my LOGHOST. The TAG (Process
> Name info) is definitely intact on the wire. This confirms that
> syslog-ng is simply parsing the log message and removing the TAG info.
>
> I did some more tests on the Linux LOGHOST using the logger utility and
> I found that syslog-ng does not like spaces after the TAG information.
> For example:
>
> 1) Logger -p syslog.info -t "TEST_TAG" "TEST_MESSAGE"
>
> Generates the log:
>
> Jun 19 08:42:38 loghost TEST_TAG: TEST_MESSAGE
>
>
> 2) Logger -p syslog.info -t "TEST_TAG " "TEST_MESSAGE"
>
> Generates the log:
>
> Jun 19 08:44:08 loghost : TEST_MESSAGE
>
> Example two lost the TAG information because of the space after
> TEST_TAG. I have considered the possibility that the messages being
> sent from the AIX box do not conform to syslog formatting standards and
> therefore syslog-ng discards the field. But I would like to know if
> there is anything that can be done to stop this behavior.
>
> Thanks for all responses, even sympathetic ones. :)
>
> Alex
>
>
> -----Original Message-----
> From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu]
> Sent: Tuesday, June 13, 2006 9:09 PM
> To: SOLIS, ALEX
> Subject: Re: [syslog-ng] Losing TAG information
>
> On Tue, 13 Jun 2006 10:07:33 CDT, "SOLIS, ALEX" said:
>
> (off-list reply)
>
> > I have about 20 or so AIX 4.3 servers that are sending syslog messages
> > to a Linux desktop running syslog-ng 1.6.5.
>
> You have my condolences. IBM dropped support for even AIX 4.3.3 several
> years ago - hopefully you're not having problems keeping the software
> running and secure...
> -----Original Message-----
> From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu]
> Sent: Tuesday, June 13, 2006 9:09 PM
> To: SOLIS, ALEX
> Subject: Re: [syslog-ng] Losing TAG information
>
> On Tue, 13 Jun 2006 10:07:33 CDT, "SOLIS, ALEX" said:
>
> (off-list reply)
>
> > I have about 20 or so AIX 4.3 servers that are sending syslog messages
> > to a Linux desktop running syslog-ng 1.6.5.
>
> You have my condolences. IBM dropped support for even AIX 4.3.3 several
> years ago - hopefully you're not having problems keeping the software
> running and secure...
>
--
Nate
I wonder why no company starts his manual with the words `We thank you
for buying this piece of junk. We have done our best to make this junk
as annoying as possible, and we assure that it will give you a
headache for the next two months. However, if you feel satisfied with
it, we will contact you for an expensive replacement.'
More information about the syslog-ng
mailing list