[syslog-ng] Trouble with switches and syslog-ng
Jean-Michel Philippon-Nadeau
jmphilip at ccs.usherbrooke.ca
Wed Apr 11 16:14:59 CEST 2007
Balazs Scheidler wrote:
> On Thu, 2007-04-05 at 18:23 +0200, Balazs Scheidler wrote:
>> On Thu, 2007-04-05 at 08:29 -0400, Jean-Michel Philippon-Nadeau wrote:
>>> Balazs Scheidler wrote:
>>>> On Wed, 2007-04-04 at 11:01 -0400, Jean-Michel Philippon-Nadeau wrote:
>>>>> Good day everyone,
>>>>>
>>>>> We use syslog-ng to store and organize the logs of our machines
>>>>> (~3900). For every host we have, syslog-ng creates a folder with the
>>>>> hostname or the ip address (if it couldn't determine the hostname) of
>>>>> the machine and then stores the logs.
>>>>>
>>>>> We also have 5 switches that can report logs with standard syslog
>>>>> capabilities (udp on port 514). The problem is that syslog-ng doesn't
>>>>> create the folder for these switches and doesn't store their logs. I
>>>>> made sure there was no network problems by using tcpdump - the packets
>>>>> correctly made it to the central syslog-ng host. Yes, of course, I made
>>>>> sure udp(); was in my source declaration.
>>>>>
>>>>> Does anyone know how I can make sure syslog-ng receives the logs?
>>>> the message sent by the switch might not be in a format that syslog-ng
>>>> accepts and this way the message gets to the wrong destination.
>>>>
>>>> can you paste a single log message as received by the syslog-ng host?
>>>> ie. a message you captured using tcpdump.
>>>>
>>> Here is a login failure from ssh to the switch received by tcpdump -A
>>> -vv to a specific interface, a specific hos (a switch) and on UDP port 514.
>>>
>>> 08:10:15.767285 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
>>> 17, length: 88) 192.168.175.2.syslog > 192.168.175.1.syslog: UDP, length 60
>>>
>>> E..X.. at .@.[@.............D..Login failed for user adminccs through ssh
>>> (192.168.10
>>>
>> hmm. this line does not include a log header (no pri, no header, no
>> host, nothing)
>>
>> syslog-ng will probably think (but I'd have to check) that "Login" is
>> the hostname, and depending on your keep_hostname() setting, it either
>> replaces Login with the host that sent the UDP frame, or leaves Login
>> alone, and thinks that it is a hostname (and thus stores messages in a
>> subdirectory named "Login").
>>
>> the solution is to
>> 1) file a bug report to the vendor to fix their syslog message format
>> 2) try to tune the bad_hostname() option to indicate that "Login" is a
>> bad hostname.
>
> Oh, and another, better solution occurred to me. Create a new source
> (either separate IP or different port) and disable log message parsing,
> like this:
>
> source s_unparsed { udp(flags(no-parse)); };
>
> This won't even try to parse an incoming line as a syslog message, it
> simply stuffs the line as the MSG part, and prepends proper syslog
> headers.
>
Thanks a lot for your help Balazs. It works perfectly now. I am going to
post the solution in case someone else runs into the same problem (for
your archives).
For Extreme Networks switches running XOS, you have to configure the log
format for syslog using the command "configure log target syslog
<arguments>". It is explained in the pages 643 to 646 in the
DocumentationEXOSCommandRef11_6.pdf. After you set your log format to
something appropriate for your needs, just configure syslog-ng in order
to process your logs the way you want it.
Thanks again for your help!
More information about the syslog-ng
mailing list