[syslog-ng] syslog-ng Digest, Vol 29, Issue 7

Wilson Lai wilsonlai at macausjm.com
Mon Sep 10 05:14:40 CEST 2007 

Dear Nate,
        As your words, there will be no solution to standardize the log 
format!
        Thanks for your reply!

Regards,
Wilson Lai
System Engineer
IT Dept., SJM
Office ( : (853)2978585
Mobile ( : (853)66506709
Email +: : wilsonlai at macausjm.com
 
-----Original Message-----
From: syslog-ng-request at lists.balabit.hu 
[mailto:syslog-ng-request at lists.balabit.hu] 
Sent: Saturday, September 08, 2007 6:00 PM
To: syslog-ng at lists.balabit.hu
Subject: syslog-ng Digest, Vol 29, Issue 7

Send syslog-ng mailing list submissions to
	syslog-ng at lists.balabit.hu

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.balabit.hu/mailman/listinfo/syslog-ng
or, via email, send a message with subject or body 'help' to
	syslog-ng-request at lists.balabit.hu

You can reach the person managing the list at
	syslog-ng-owner at lists.balabit.hu

When replying, please edit your Subject line so it is more specific
than "Re: Contents of syslog-ng digest..."


Today's Topics:

   1.  Logs from Nauticus (Delphine D)
   2. Re:  Hostname instead of FQDN in logs (Nate Campi)
   3. Re:  syslog-ng Digest, Vol 28, Issue 21 (Nate Campi)
   4. Re:  Logs from Nauticus (Nate Campi)
   5. Re:  Logs from Nauticus (Delphine D)
   6. Re:  Logs from Nauticus (Nate Campi)
   7. Re:  How to "drop" a message, effectively skipping further
      processing and not logging it? (Eli Stair)


----------------------------------------------------------------------

Message: 1
Date: Fri, 07 Sep 2007 15:18:27 +0200
From: "Delphine D" <delphined_1300 at hotmail.com>
Subject: [syslog-ng] Logs from Nauticus
To: syslog-ng at lists.balabit.hu
Message-ID: <BLU106-F41DCA93C3393AA7FA06E78E1C50 at phx.gbl>
Content-Type: text/plain; charset=iso-8859-1; format=flowed

Hello,

Is there someone here having some knowledge of how to send logs from 
Nauticus (Sun Secure Application Switch Manager N2120) to syslog-ng ?

I receive the logs on the centralized logs server but without any 
information about the source of the logs (no IP, no hostname).

In other words :

Sep  7 14:03:29 2007 v0 AAA [0/100e8] [ERROR]: User authentication 
failure, 
user: 'test', host: 1.2.3.4, application: httpLogin, method: 
TACACS(serviceNotAvailable)  serviceNotAvailable

instead of :

Sep  7 14:03:29 2007/nauticus.ourdomain.be v0 AAA [0/100e8] [ERROR]: 
User 
authentication failure, user: 'test', host: 1.2.3.4, application: 
httpLogin, 
method: TACACS(serviceNotAvailable)  serviceNotAvailable

Is there a paramater to change in the N2120 ?

Thank you very much.

_________________________________________________________________
A la recherche d'un ami d'enfance ? Peut-?tre est-il dans la liste 
d'amis de 
vos amis ! http://spaces.live.com/default.aspx?page=Ed01&ss=True



------------------------------

Message: 2
Date: Fri, 7 Sep 2007 07:24:03 -0700
From: Nate Campi <nate at campin.net>
Subject: Re: [syslog-ng] Hostname instead of FQDN in logs
To: Syslog-ng users' and developers' mailing list
	<syslog-ng at lists.balabit.hu>
Message-ID: <20070907142403.GB6166 at campin.net>
Content-Type: text/plain; charset=us-ascii

On Fri, Sep 07, 2007 at 10:53:54AM +0200, Delphine D wrote:
> 
> The others also return the hostname and not the FQDN (Ex : 'server2' 
and not 
> 'server2.ourdomain.be') but they are using syslog instead of 
syslog-ng...
> That's the only difference...

Then it's because this host sends the hostname in the syslog message
(syslog-ng always has a full and complete syslog message on the wire),
but the boxes using syslogd don't actually send a hostname.

A message on your central syslog-ng server from a Linux box running
syslogd will be written to disk something like:

Sep  7 07:16:20 hostname in.qpopper[7736]: connect from 12.12.12.12

...but on the wire it looks like this:

<13>in.qpopper[7736]: connect from 12.12.12.12

...and syslog-ng has to put in the rest of the info. This means that
syslog-ng on the central box is putting in the FQDN for you.

syslog-ng on the client is putting in a full message, including the
short hostname, and the central syslog-ng is keeping it.

See http://www.campin.net/syslog-ng/syslog.html#missing_parts for more
on this.

See http://www.campin.net/syslog-ng/faq.html#hostname to figure out the
hostname options you want on your central syslog-ng server. Probably
"keep_hostname(no)", plus "use_fqdn(yes);" to get the FQDN.

HTH,
-- 
Nate

Like medieval peasants, computer manufacturers and millions of users
are locked in a seemingly eternal lease with their evil landlord, who
comes around every two years to collect billions of dollars of taxes
in return for mediocre services. --Mark Harris, Electronics Times 



------------------------------

Message: 3
Date: Fri, 7 Sep 2007 07:26:12 -0700
From: Nate Campi <nate at campin.net>
Subject: Re: [syslog-ng] syslog-ng Digest, Vol 28, Issue 21
To: Syslog-ng users' and developers' mailing list
	<syslog-ng at lists.balabit.hu>
Message-ID: <20070907142612.GC6166 at campin.net>
Content-Type: text/plain; charset=us-ascii

On Fri, Sep 07, 2007 at 05:26:02PM +0800, Wilson Lai wrote:
> Dear all,
>        What happen if the log message is not a standard syslog 
message?
>        Thanks.

If a Cisco switch sends a message like this:
2005 Aug 23 03:04:05 UTC +00:00 %PAGP-5-PORTFROMSTP:Port 4/16 left 
bridge port 4/16

...it'll be written to disk like this:

Aug 23 03:04:05 switch.company.com 2005 Aug 23 03:04:05 UTC +00:00 
%PAGP-5-PORTFROMSTP:Port 4/16 left bridge port 4/16

syslog servers put in a proper syslog formatted header.

The behavior is documented here:

 http://www.faqs.org/rfcs/rfc3164.html

It's not syslog-ng specific behavior.
-- 
Nate

"The IBM compatible sector has not yet recognized that 95% of computer
usage is devoted to experimenting with different fonts and character
styles in documents." - Reiner, Ron



------------------------------

Message: 4
Date: Fri, 7 Sep 2007 07:35:54 -0700
From: Nate Campi <nate at campin.net>
Subject: Re: [syslog-ng] Logs from Nauticus
To: Syslog-ng users' and developers' mailing list
	<syslog-ng at lists.balabit.hu>
Message-ID: <20070907143554.GD6166 at campin.net>
Content-Type: text/plain; charset=us-ascii

On Fri, Sep 07, 2007 at 03:18:27PM +0200, Delphine D wrote:
> 
> I receive the logs on the centralized logs server but without any 
> information about the source of the logs (no IP, no hostname).
> 
> In other words :
> 
> Sep  7 14:03:29 2007 v0 AAA [0/100e8] [ERROR]: User authentication 
failure, 
> user: 'test', host: 1.2.3.4, application: httpLogin, method: 
> TACACS(serviceNotAvailable)  serviceNotAvailable
> 
> instead of :
> 
> Sep  7 14:03:29 2007/nauticus.ourdomain.be v0 AAA [0/100e8] [ERROR]: 
User 
> authentication failure, user: 'test', host: 1.2.3.4, application: 
httpLogin, 
> method: TACACS(serviceNotAvailable)  serviceNotAvailable
> 
> Is there a paramater to change in the N2120 ?

Those aren't standard syslog messages, and it's possible that paired
with how Solaris sends a header but not a hostname, syslog-ng could be
getting confused about this. You should send your "options" part of your
syslog-ng.conf, and read http://www.campin.net/syslog-ng/syslog.html to
see if it helps you understand what the messages look like on the wire
and how syslog-ng makes it's best guesses about what the fields mean.

Something similar is the reason for the "bad_hostname" option, but
that's for when program names look like hostnames. You have a header
section that looks like a hostname, but I'm not sure if you have a
keep_hostname(no) that's stripping out your hostname from that weird
header section that looks like syslog-ng's "chain_hostnames".

So send your options to the list, try setting keep_hostname(yes), or see
if you can force a normal syslog format on the client side. What they're
sending is wrong in a new way that isn't worked around in syslog-ng
(AFAIK).

-- 
Nate

"Reader, suppose you were an idiot. And suppose you were a member of 
Congress. But I repeat myself." - Samuel Clemens



------------------------------

Message: 5
Date: Fri, 07 Sep 2007 16:47:31 +0200
From: "Delphine D" <delphined_1300 at hotmail.com>
Subject: Re: [syslog-ng] Logs from Nauticus
To: syslog-ng at lists.balabit.hu
Message-ID: <BLU106-F26C91524EFE7580500E939E1C50 at phx.gbl>
Content-Type: text/plain; charset=iso-8859-1; format=flowed


>On Fri, Sep 07, 2007 at 03:18:27PM +0200, Delphine D wrote:
> >
> > I receive the logs on the centralized logs server but without any
> > information about the source of the logs (no IP, no hostname).
> >
> > In other words :
> >
> > Sep  7 14:03:29 2007 v0 AAA [0/100e8] [ERROR]: User authentication 
>failure,
> > user: 'test', host: 1.2.3.4, application: httpLogin, method:
> > TACACS(serviceNotAvailable)  serviceNotAvailable
> >
> > instead of :
> >
> > Sep  7 14:03:29 2007/nauticus.ourdomain.be v0 AAA [0/100e8] [ERROR]: 

>User
> > authentication failure, user: 'test', host: 1.2.3.4, application: 
>httpLogin,
> > method: TACACS(serviceNotAvailable)  serviceNotAvailable
> >
> > Is there a paramater to change in the N2120 ?
>
>Those aren't standard syslog messages, and it's possible that paired
>with how Solaris sends a header but not a hostname, syslog-ng could be
>getting confused about this. You should send your "options" part of 
your
>syslog-ng.conf, and read http://www.campin.net/syslog-ng/syslog.html to
>see if it helps you understand what the messages look like on the wire
>and how syslog-ng makes it's best guesses about what the fields mean.
>
>Something similar is the reason for the "bad_hostname" option, but
>that's for when program names look like hostnames. You have a header
>section that looks like a hostname, but I'm not sure if you have a
>keep_hostname(no) that's stripping out your hostname from that weird
>header section that looks like syslog-ng's "chain_hostnames".
>
>So send your options to the list, try setting keep_hostname(yes), or 
see
>if you can force a normal syslog format on the client side. What 
they're
>sending is wrong in a new way that isn't worked around in syslog-ng
>(AFAIK).

Thank you Nate for your help.

Here is the syslog-ng.conf from my logs server :

options {    create_dirs(yes);
                dir_perm(0705);
                dir_owner(root);
                perm(0600);
                owner(root);
                sync(0);
                check_hostname(no);
                use_fqdn(yes);
                use_dns(yes);
                dns_cache(yes);
                dns_cache_expire(604800);
                dns_cache_size(400);
                stats(60);
                keep_hostname(yes);
                chain_hostnames(yes);
        };

I'm not sure that we've the ability to change something in the Nauticus.
There is no Syslog or Syslog-ng running on it.  There is no 
configuration 
files like in "normal" servers (Linux, Solaris,...).

There is only a parameters section in the GUI, where you have to 
configure :

- SysLog Host   --> IP of the logs server
- Syslog Port     --> 514
- Filter              --> defaultSyslog (by default)
- Facility           --> local0, local1,.... or local7

But I don't find anything about hostname.

The strangest thing is that it was working fine a few weeks ago but it 
has 
suddenly stopped working :-(

Thanks.

_________________________________________________________________
Saviez-vous que Windows Live Messenger est disponible d?s maintenant sur 

votre GSM ? http://get.live.com/messenger/mobile



------------------------------

Message: 6
Date: Fri, 7 Sep 2007 08:59:05 -0700
From: Nate Campi <nate at campin.net>
Subject: Re: [syslog-ng] Logs from Nauticus
To: Syslog-ng users' and developers' mailing list
	<syslog-ng at lists.balabit.hu>
Message-ID: <20070907155905.GF6166 at campin.net>
Content-Type: text/plain; charset=us-ascii

On Fri, Sep 07, 2007 at 04:47:31PM +0200, Delphine D wrote:
> 
> Thank you Nate for your help.
> 
> Here is the syslog-ng.conf from my logs server :
> 
> options {    create_dirs(yes);
<snip>
>                 chain_hostnames(yes);
>         };

Try chain_hostnames(no).

No matter what, you're dealing with a bad format that's close enough to
a good one to make syslog-ng guess incorrectly. This isn't the fault of
syslog-ng, just a result of the imperfect world we live in.

> I'm not sure that we've the ability to change something in the 
Nauticus.
> There is no Syslog or Syslog-ng running on it.  There is no 
configuration 
> files like in "normal" servers (Linux, Solaris,...).
> 
> There is only a parameters section in the GUI, where you have to 
configure :
> 
> - SysLog Host   --> IP of the logs server
> - Syslog Port     --> 514
> - Filter              --> defaultSyslog (by default)
> - Facility           --> local0, local1,.... or local7

Any other options? Any other Filter options, specifically?

I've actually run perl-based syslog proxy code I wrote to work around
really crappy syslog formats. The bad_hostname option came as a result
of me bitching about the bad formats loudly enough and long enough. :)

ISTR that syslog-ng 2.0 now has some rewriting ability. I haven't been
paying much attention to that branch, you should probably read up on it.
Possible that it's only in the dev branch - like I said I haven't been
paying much attention.
 
> But I don't find anything about hostname.
> 
> The strangest thing is that it was working fine a few weeks ago but it 
has 
> suddenly stopped working :-(

Somebody changed either the syslog-ng server or your client. Maybe not
even configs, but version upgrade on the client perhaps.
-- 
Nate

An Emacs reference mug is what I want. It would hold ten gallons of
coffee. -- Steve VanDevender 
And, no doubt, have a lid that could only be removed with an obscure
finger combination requiring both hands. (Ctrl-Alt-Meta-X
gimme-the-damn-coffee) -- William Beegle  



------------------------------

Message: 7
Date: Fri, 07 Sep 2007 14:39:26 -0700
From: Eli Stair <estair at ilm.com>
Subject: Re: [syslog-ng] How to "drop" a message, effectively skipping
	further processing and not logging it?
To: Syslog-ng users' and developers' mailing list
	<syslog-ng at lists.balabit.hu>
Message-ID: <46E1C50E.9060405 at ilm.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed


Geller, Sandor (IT) wrote:
> Hello,
> 
>  > Is there any way other than this to keep a message from being
>  > sent to another
>  > host or a file?  If not, is there any way to tell syslog-ng
>  > NOT to modify the
>  > state of a file, just to send data TO it?  That, or an
>  > internal "drop"
>  > stop-processing built-in destination would be extremely useful.
> 
> Simply remove all destinations from the log section and use
> flags(final) will do the trick.
> 


Don't I feel daft... I recall trying that a couple years ago, but had 
errors I 
don't seem to have resolved before deciding to just write to /dev/null. 
I 
must've botched the syntax and thought that you HAD to have a 
destination in a 
log line!

Thanks for the suggestion.

Cheers,

/eli



------------------------------

_______________________________________________
syslog-ng maillist  -  syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng


End of syslog-ng Digest, Vol 29, Issue 7
****************************************

More information about the syslog-ng mailing list