[syslog-ng] Trouble with switches and syslog-ng

Balazs Scheidler bazsi at balabit.hu
Fri Apr 6 11:23:45 CEST 2007


On Thu, 2007-04-05 at 18:23 +0200, Balazs Scheidler wrote:
> On Thu, 2007-04-05 at 08:29 -0400, Jean-Michel Philippon-Nadeau wrote:
> > Balazs Scheidler wrote:
> > > On Wed, 2007-04-04 at 11:01 -0400, Jean-Michel Philippon-Nadeau wrote:
> > >> Good day everyone,
> > >>
> > >> 	We use syslog-ng to store and organize the logs of our machines 
> > >> (~3900). For every host we have, syslog-ng creates a folder with the 
> > >> hostname or the ip address (if it couldn't determine the hostname) of 
> > >> the machine and then stores the logs.
> > >>
> > >> 	We also have 5 switches that can report logs with standard syslog 
> > >> capabilities (udp on port 514). The problem is that syslog-ng doesn't 
> > >> create the folder for these switches and doesn't store their logs. I 
> > >> made sure there was no network problems by using tcpdump - the packets 
> > >> correctly made it to the central syslog-ng host. Yes, of course, I made 
> > >> sure udp(); was in my source declaration.
> > >>
> > >> 	Does anyone know how I can make sure syslog-ng receives the logs?
> > > 
> > > the message sent by the switch might not be in a format that syslog-ng
> > > accepts and this way the message gets to the wrong destination.
> > > 
> > > can you paste a single log message as received by the syslog-ng host?
> > > ie. a message you captured using tcpdump.
> > > 
> > 
> > Here is a login failure from ssh to the switch received by tcpdump -A 
> > -vv to a specific interface, a specific hos (a switch) and on UDP port 514.
> > 
> > 08:10:15.767285 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 
> > 17, length: 88) 192.168.175.2.syslog > 192.168.175.1.syslog: UDP, length 60
> > 
> > E..X.. at .@.[@.............D..Login failed for user adminccs through ssh 
> > (192.168.10
> > 
> 
> hmm. this line does not include a log header (no pri, no header, no
> host, nothing)
> 
> syslog-ng will probably think (but I'd have to check) that "Login" is
> the hostname, and depending on your keep_hostname() setting, it either
> replaces Login with the host that sent the UDP frame, or leaves Login
> alone, and thinks that it is a hostname (and thus stores messages in a
> subdirectory named "Login").
> 
> the solution is to 
> 1) file a bug report to the vendor to fix their syslog message format
> 2) try to tune the bad_hostname() option to indicate that "Login" is a
> bad hostname.

Oh, and another, better solution occurred to me. Create a new source
(either separate IP or different port) and disable log message parsing,
like this:

source s_unparsed { udp(flags(no-parse)); };

This won't even try to parse an incoming line as a syslog message, it
simply stuffs the line as the MSG part, and prepends proper syslog
headers.

-- 
Bazsi



More information about the syslog-ng mailing list