[syslog-ng] Logs from Nauticus
Nate Campi
nate at campin.net
Fri Sep 7 16:35:54 CEST 2007
On Fri, Sep 07, 2007 at 03:18:27PM +0200, Delphine D wrote:
>
> I receive the logs on the centralized logs server but without any
> information about the source of the logs (no IP, no hostname).
>
> In other words :
>
> Sep 7 14:03:29 2007 v0 AAA [0/100e8] [ERROR]: User authentication failure,
> user: 'test', host: 1.2.3.4, application: httpLogin, method:
> TACACS(serviceNotAvailable) serviceNotAvailable
>
> instead of :
>
> Sep 7 14:03:29 2007/nauticus.ourdomain.be v0 AAA [0/100e8] [ERROR]: User
> authentication failure, user: 'test', host: 1.2.3.4, application: httpLogin,
> method: TACACS(serviceNotAvailable) serviceNotAvailable
>
> Is there a paramater to change in the N2120 ?
Those aren't standard syslog messages, and it's possible that paired
with how Solaris sends a header but not a hostname, syslog-ng could be
getting confused about this. You should send your "options" part of your
syslog-ng.conf, and read http://www.campin.net/syslog-ng/syslog.html to
see if it helps you understand what the messages look like on the wire
and how syslog-ng makes it's best guesses about what the fields mean.
Something similar is the reason for the "bad_hostname" option, but
that's for when program names look like hostnames. You have a header
section that looks like a hostname, but I'm not sure if you have a
keep_hostname(no) that's stripping out your hostname from that weird
header section that looks like syslog-ng's "chain_hostnames".
So send your options to the list, try setting keep_hostname(yes), or see
if you can force a normal syslog format on the client side. What they're
sending is wrong in a new way that isn't worked around in syslog-ng
(AFAIK).
--
Nate
"Reader, suppose you were an idiot. And suppose you were a member of
Congress. But I repeat myself." - Samuel Clemens
More information about the syslog-ng
mailing list