[syslog-ng] (no subject)

chris packham chris.packham at alliedtelesis.co.nz
Tue Jun 3 22:59:27 CEST 2008


What version of syslog-ng does your distro use? (run syslog-ng --version
to find out)

>From looking at the source code history support for this Cisco extension
was added in v2.0.5. I haven't got a Cisco device handy so I can't
confirm that it is working but there is code to deal with the fraction
of a second scenario.

-----Original Message-----
From: Andy Kanyer <AKanyer at directs.com>
Reply-To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
To: syslog-ng at lists.balabit.hu
Subject: [syslog-ng] (no subject)
Date: Tue, 3 Jun 2008 09:16:30 -0500

Hello everyone,
 
I am currently workin on setting up a debian box as a central syslog
server.
One goal of this server is to filter syslog messages into different
folders based on what server they were sent by. 
This works as expected with all devices EXCEPT for my cisco wireless
controllers.
 
When they log:
[CODE]
Jun 02 20:52:29.063 1x_auth_pae.c:2488 DOT1X-3-MAX_EAP_RETRIES: Max EAP
identity request retries (21) exceeded for client 00:19:d2:78:ee:8f

Jun 02 20:52:09.663 1x_auth_pae.c:2488 DOT1X-3-MAX_EAP_RETRIES: Max EAP
identity request retries (21) exceeded for client 00:13:e8:d9:9d:eb

Jun 02 20:50:49.064 1x_auth_pae.c:2488 DOT1X-3-MAX_EAP_RETRIES: Max EAP
identity request retries (21) exceeded for client 00:19:d2:78:ee:8f
[/CODE]
 
My syslog-ng, rather than filtering these into a folder given by the
wireless controllers ip/hostname, creates folders named .063 and .064.
 
It seems like syslog-ng is reading the microsecond portion of the
timestamp as the hostname! After sniffing some other syslog messages, I
noticed that ONLY these cisco devices have timestamps that include
microseconds. 
 
 
 
Does anyone have any idea how to work around this and filter the cisco
messages by hostname? Someway to truncate the timestamp or force it to
look further to find the actual hostname?
 
Just FYI I will post the relevant portion of my syslog-ng.conf:
 
[CODE]
source remote_src { udp(); tcp(); };
destination remote_syslog { 
 file(
  "/usr/local/syslog/$HOST/$YEAR/$MONTH/$YEAR-$MONTH-$DAY.log" 
  owner(root) 
  group(root) 
  perm(0644) 
  dir_perm(0755) 
  create_dirs(yes)
 );
};
 
### added 4-16-08 all three wireless controllers destinations
### manually creating directory names
 
destination wir-c-syd-3-00 {
 file(
  "/usr/local/syslog/wir-c-syd-3-00/$YEAR/$MONTH/$YEAR-$MONTH-$DAY.log"
  owner(root)
  group(root)
  perm(0644)
  dir_perm(0755)
  create_dirs(yes)
 );
};
 
filter wir-c-syd-3-00 { netmask(172.25.198.10/32); };
 
log {
 source(remote_src);
 filter(wir-c-syd-3-00);
 destination(wir-c-syd-3-00);
};
[/CODE]
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html




More information about the syslog-ng mailing list