[syslog-ng] (no subject)

Andy Kanyer AKanyer at directs.com
Tue Jun 3 16:16:30 CEST 2008


Hello everyone,
 
I am currently workin on setting up a debian box as a central syslog
server.
One goal of this server is to filter syslog messages into different
folders based on what server they were sent by. 
This works as expected with all devices EXCEPT for my cisco wireless
controllers.
 
When they log:
[CODE]
Jun 02 20:52:29.063 1x_auth_pae.c:2488 DOT1X-3-MAX_EAP_RETRIES: Max EAP
identity request retries (21) exceeded for client 00:19:d2:78:ee:8f

Jun 02 20:52:09.663 1x_auth_pae.c:2488 DOT1X-3-MAX_EAP_RETRIES: Max EAP
identity request retries (21) exceeded for client 00:13:e8:d9:9d:eb

Jun 02 20:50:49.064 1x_auth_pae.c:2488 DOT1X-3-MAX_EAP_RETRIES: Max EAP
identity request retries (21) exceeded for client 00:19:d2:78:ee:8f
[/CODE]
 
My syslog-ng, rather than filtering these into a folder given by the
wireless controllers ip/hostname, creates folders named .063 and .064.
 
It seems like syslog-ng is reading the microsecond portion of the
timestamp as the hostname! After sniffing some other syslog messages, I
noticed that ONLY these cisco devices have timestamps that include
microseconds. 
 
 
 
Does anyone have any idea how to work around this and filter the cisco
messages by hostname? Someway to truncate the timestamp or force it to
look further to find the actual hostname?
 
Just FYI I will post the relevant portion of my syslog-ng.conf:
 
[CODE]
source remote_src { udp(); tcp(); };
destination remote_syslog { 
 file(
  "/usr/local/syslog/$HOST/$YEAR/$MONTH/$YEAR-$MONTH-$DAY.log" 
  owner(root) 
  group(root) 
  perm(0644) 
  dir_perm(0755) 
  create_dirs(yes)
 );
};
 
### added 4-16-08 all three wireless controllers destinations
### manually creating directory names
 
destination wir-c-syd-3-00 {
 file(
  "/usr/local/syslog/wir-c-syd-3-00/$YEAR/$MONTH/$YEAR-$MONTH-$DAY.log"
  owner(root)
  group(root)
  perm(0644)
  dir_perm(0755)
  create_dirs(yes)
 );
};
 
filter wir-c-syd-3-00 { netmask(172.25.198.10/32); };
 
log {
 source(remote_src);
 filter(wir-c-syd-3-00);
 destination(wir-c-syd-3-00);
};
[/CODE]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20080603/08befc54/attachment.htm 


More information about the syslog-ng mailing list