[syslog-ng] Logs from Nauticus

Delphine D delphined_1300 at hotmail.com
Fri Sep 7 16:47:31 CEST 2007 

>On Fri, Sep 07, 2007 at 03:18:27PM +0200, Delphine D wrote:
> >
> > I receive the logs on the centralized logs server but without any
> > information about the source of the logs (no IP, no hostname).
> >
> > In other words :
> >
> > Sep  7 14:03:29 2007 v0 AAA [0/100e8] [ERROR]: User authentication 
>failure,
> > user: 'test', host: 1.2.3.4, application: httpLogin, method:
> > TACACS(serviceNotAvailable)  serviceNotAvailable
> >
> > instead of :
> >
> > Sep  7 14:03:29 2007/nauticus.ourdomain.be v0 AAA [0/100e8] [ERROR]: 
>User
> > authentication failure, user: 'test', host: 1.2.3.4, application: 
>httpLogin,
> > method: TACACS(serviceNotAvailable)  serviceNotAvailable
> >
> > Is there a paramater to change in the N2120 ?
>
>Those aren't standard syslog messages, and it's possible that paired
>with how Solaris sends a header but not a hostname, syslog-ng could be
>getting confused about this. You should send your "options" part of your
>syslog-ng.conf, and read http://www.campin.net/syslog-ng/syslog.html to
>see if it helps you understand what the messages look like on the wire
>and how syslog-ng makes it's best guesses about what the fields mean.
>
>Something similar is the reason for the "bad_hostname" option, but
>that's for when program names look like hostnames. You have a header
>section that looks like a hostname, but I'm not sure if you have a
>keep_hostname(no) that's stripping out your hostname from that weird
>header section that looks like syslog-ng's "chain_hostnames".
>
>So send your options to the list, try setting keep_hostname(yes), or see
>if you can force a normal syslog format on the client side. What they're
>sending is wrong in a new way that isn't worked around in syslog-ng
>(AFAIK).

Thank you Nate for your help.

Here is the syslog-ng.conf from my logs server :

options {    create_dirs(yes);
                dir_perm(0705);
                dir_owner(root);
                perm(0600);
                owner(root);
                sync(0);
                check_hostname(no);
                use_fqdn(yes);
                use_dns(yes);
                dns_cache(yes);
                dns_cache_expire(604800);
                dns_cache_size(400);
                stats(60);
                keep_hostname(yes);
                chain_hostnames(yes);
        };

I'm not sure that we've the ability to change something in the Nauticus.
There is no Syslog or Syslog-ng running on it.  There is no configuration 
files like in "normal" servers (Linux, Solaris,...).

There is only a parameters section in the GUI, where you have to configure :

- SysLog Host   --> IP of the logs server
- Syslog Port     --> 514
- Filter              --> defaultSyslog (by default)
- Facility           --> local0, local1,.... or local7

But I don't find anything about hostname.

The strangest thing is that it was working fine a few weeks ago but it has 
suddenly stopped working :-(

Thanks.

_________________________________________________________________
Saviez-vous que Windows Live Messenger est disponible dès maintenant sur 
votre GSM ? http://get.live.com/messenger/mobile

More information about the syslog-ng mailing list