[syslog-ng] (no subject)

Wed Jun 4 15:21:24 CEST 2008

I ran into a similar issue with Netcool from syslog-ng, thinking the
microsecond portion of the message was the hostname.  What we found out is
that there is a bug in the WCs.  If you upgrade your WCs, you will see the
hostnames coming in with your syslog messages (which you don't currently
get, hence why your system is not working as expected).  Hope that helps!!

Chris Ivey

Affiliated Computer Services
Enterprise Management Integration Services
Infrastructure Management Senior Analyst

chris.ivey at acs-inc.com

"I have not failed, I have simply found 10,000 ways which do not work!" --
Thomas Edison
"When you find yourself in a hole, the best thing to do is stop digging!" --
Nick Stokes
"I reject your reality, and substitute my own!" -- Adam Savage

-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of chris packham
Sent: Tuesday, June 03, 2008 4:59 PM
To: syslog-ng at lists.balabit.hu
Subject: Re: [syslog-ng] (no subject)

What version of syslog-ng does your distro use? (run syslog-ng --version
to find out)

>From looking at the source code history support for this Cisco extension
was added in v2.0.5. I haven't got a Cisco device handy so I can't
confirm that it is working but there is code to deal with the fraction
of a second scenario.

-----Original Message-----
From: Andy Kanyer <AKanyer at directs.com>
Reply-To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
To: syslog-ng at lists.balabit.hu
Subject: [syslog-ng] (no subject)
Date: Tue, 3 Jun 2008 09:16:30 -0500

Hello everyone,

I am currently workin on setting up a debian box as a central syslog
server.
One goal of this server is to filter syslog messages into different
folders based on what server they were sent by. 
This works as expected with all devices EXCEPT for my cisco wireless
controllers.

When they log:
[CODE]
Jun 02 20:52:29.063 1x_auth_pae.c:2488 DOT1X-3-MAX_EAP_RETRIES: Max EAP
identity request retries (21) exceeded for client 00:19:d2:78:ee:8f

Jun 02 20:52:09.663 1x_auth_pae.c:2488 DOT1X-3-MAX_EAP_RETRIES: Max EAP
identity request retries (21) exceeded for client 00:13:e8:d9:9d:eb

Jun 02 20:50:49.064 1x_auth_pae.c:2488 DOT1X-3-MAX_EAP_RETRIES: Max EAP
identity request retries (21) exceeded for client 00:19:d2:78:ee:8f
[/CODE]

My syslog-ng, rather than filtering these into a folder given by the
wireless controllers ip/hostname, creates folders named .063 and .064.

It seems like syslog-ng is reading the microsecond portion of the
timestamp as the hostname! After sniffing some other syslog messages, I
noticed that ONLY these cisco devices have timestamps that include
microseconds. 

Does anyone have any idea how to work around this and filter the cisco
messages by hostname? Someway to truncate the timestamp or force it to
look further to find the actual hostname?

Just FYI I will post the relevant portion of my syslog-ng.conf:

[CODE]
source remote_src { udp(); tcp(); };
destination remote_syslog { 
 file(
  "/usr/local/syslog/$HOST/$YEAR/$MONTH/$YEAR-$MONTH-$DAY.log" 
  owner(root) 
  group(root) 
  perm(0644) 
  dir_perm(0755) 
  create_dirs(yes)
 );
};

### added 4-16-08 all three wireless controllers destinations
### manually creating directory names

destination wir-c-syd-3-00 {
 file(
  "/usr/local/syslog/wir-c-syd-3-00/$YEAR/$MONTH/$YEAR-$MONTH-$DAY.log"
  owner(root)
  group(root)
  perm(0644)
  dir_perm(0755)
  create_dirs(yes)
 );
};

filter wir-c-syd-3-00 { netmask(172.25.198.10/32); };

log {
 source(remote_src);
 filter(wir-c-syd-3-00);
 destination(wir-c-syd-3-00);
};
[/CODE]
____________________________________________________________________________
__
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

____________________________________________________________________________
__
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20080604/10fd878a/attachment-0001.htm 