[syslog-ng] syslog-ng loses hostname information on some syslog logs sent via UDP

D S, Manu (STSD) manu.d-s at hp.com
Fri Jan 9 07:44:31 CET 2009 

Hi,

	I am running syslog-ng on a HP-UX server listening on UDP port 514. It is receiving logs from syslogd running on another server. For some messages syslog-ng does not log the hostname information found in the UDP packet. Rather, it mistakes some data in UDP as the hostname information.
	Here is the complete information.

syslog-ng 2.0.9 on HP-UX. Syslogd on node01 sends logs to syslog-ng on node02.

	The logs in node02 are,

Jan  9 11:55:11 node01 root: testing1
Jan  9 11:55:32 above message repeats 5 times
Jan  9 11:55:32 node01 root: testing4

	Notice that hostname is missing in the second message.
	tcpdump on UDP port 514 for the above logs


11:57:26.183996 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39220, offset 0, flags [DF], proto UDP (17), length 62)
    node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 34
        Facility user (1), Severity notice (5)
        Msg: Jan  9 11:55:11 root: testing1
        0x0000:  3c31 333e 4a61 6e20 2039 2031 313a 3535
        0x0010:  3a31 3120 726f 6f74 3a20 7465 7374 696e
        0x0020:  6731
        0x0000:  0030 6e4a 3244 0030 6e4b 2637 0800 4500  .0nJ2D.0nK&7..E.
        0x0010:  003e 9934 4000 4011 3c2c 10b5 a1f0 10b5  .>.4 at .@.<,......
        0x0020:  a1f4 e03b 0202 002a a973 3c31 333e 4a61  ...;...*.s<13>Ja
        0x0030:  6e20 2039 2031 313a 3535 3a31 3120 726f  n..9.11:55:11.ro
        0x0040:  6f74 3a20 7465 7374 696e 6731            ot:.testing1
11:57:26.185727 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 64, id 39221, offset 0, flags [DF], proto UDP (17), length 78)
    node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 50
        Facility user (1), Severity notice (5)
        Msg: Jan  9 11:55:32  above message repeats 5 times
        0x0000:  3c31 333e 4a61 6e20 2039 2031 313a 3535
        0x0010:  3a33 3220 2061 626f 7665 206d 6573 7361
        0x0020:  6765 2072 6570 6561 7473 2035 2074 696d
        0x0030:  6573
        0x0000:  0030 6e4a 3244 0030 6e4b 2637 0800 4500  .0nJ2D.0nK&7..E.
        0x0010:  004e 9935 4000 4011 3c1b 10b5 a1f0 10b5  .N.5 at .@.<.......
        0x0020:  a1f4 e03b 0202 003a b3b0 3c31 333e 4a61  ...;...:..<13>Ja
        0x0030:  6e20 2039 2031 313a 3535 3a33 3220 2061  n..9.11:55:32..a
        0x0040:  626f 7665 206d 6573 7361 6765 2072 6570  bove.message.rep
        0x0050:  6561 7473 2035 2074 696d 6573            eats.5.times
11:57:26.186879 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39222, offset 0, flags [DF], proto UDP (17), length 62)
    node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 34
        Facility user (1), Severity notice (5)
        Msg: Jan  9 11:55:32 root: testing4
        0x0000:  3c31 333e 4a61 6e20 2039 2031 313a 3535
        0x0010:  3a33 3220 726f 6f74 3a20 7465 7374 696e
        0x0020:  6734
        0x0000:  0030 6e4a 3244 0030 6e4b 2637 0800 4500  .0nJ2D.0nK&7..E.
        0x0010:  003e 9936 4000 4011 3c2a 10b5 a1f0 10b5  .>.6 at .@.<*......
        0x0020:  a1f4 e03b 0202 002a a86e 3c31 333e 4a61  ...;...*.n<13>Ja
        0x0030:  6e20 2039 2031 313a 3535 3a33 3220 726f  n..9.11:55:32.ro
        0x0040:  6f74 3a20 7465 7374 696e 6734            ot:.testing4

	
	When I change keep_hostname(yes) to keep_hostname(no) and add the chain_hostnames(yes) option I get the following logged.

Jan  9 11:55:22 node01/node01 root: testing3
Jan  9 11:57:13 above/node01 message repeats 6 times
Jan  9 11:57:13 node01/node01 root: testing8

	I would say, syslog-ng is confusing 'above' as the hostname before rewriting hostname.
	The tcpdump for these logs are

11:59:06.362374 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39223, offset 0, flags [DF], proto UDP (17), length 62)
    node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 34
        Facility user (1), Severity notice (5)
        Msg: Jan  9 11:55:22 root: testing3
        0x0000:  3c31 333e 4a61 6e20 2039 2031 313a 3535
        0x0010:  3a32 3220 726f 6f74 3a20 7465 7374 696e
        0x0020:  6733
        0x0000:  0030 6e4a 3244 0030 6e4b 2637 0800 4500  .0nJ2D.0nK&7..E.
        0x0010:  003e 9937 4000 4011 3c29 10b5 a1f0 10b5  .>.7 at .@.<)......
        0x0020:  a1f4 e03b 0202 002a a870 3c31 333e 4a61  ...;...*.p<13>Ja
        0x0030:  6e20 2039 2031 313a 3535 3a32 3220 726f  n..9.11:55:22.ro
        0x0040:  6f74 3a20 7465 7374 696e 6733            ot:.testing3
11:59:06.364052 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 64, id 39224, offset 0, flags [DF], proto UDP (17), length 78)
    node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 50
        Facility user (1), Severity notice (5)
        Msg: Jan  9 11:57:13  above message repeats 6 times
        0x0000:  3c31 333e 4a61 6e20 2039 2031 313a 3537
        0x0010:  3a31 3320 2061 626f 7665 206d 6573 7361
        0x0020:  6765 2072 6570 6561 7473 2036 2074 696d
        0x0030:  6573
        0x0000:  0030 6e4a 3244 0030 6e4b 2637 0800 4500  .0nJ2D.0nK&7..E.
        0x0010:  004e 9938 4000 4011 3c18 10b5 a1f0 10b5  .N.8 at .@.<.......
        0x0020:  a1f4 e03b 0202 003a b2af 3c31 333e 4a61  ...;...:..<13>Ja
        0x0030:  6e20 2039 2031 313a 3537 3a31 3320 2061  n..9.11:57:13..a
        0x0040:  626f 7665 206d 6573 7361 6765 2072 6570  bove.message.rep
        0x0050:  6561 7473 2036 2074 696d 6573            eats.6.times
11:59:06.364302 00:30:6e:4b:26:37 (oui Unknown) > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39225, offset 0, flags [DF], proto UDP (17), length 62)
    node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum ok] SYSLOG, length: 34
        Facility user (1), Severity notice (5)
        Msg: Jan  9 11:57:13 root: testing8
        0x0000:  3c31 333e 4a61 6e20 2039 2031 313a 3537
        0x0010:  3a31 3320 726f 6f74 3a20 7465 7374 696e
        0x0020:  6738
        0x0000:  0030 6e4a 3244 0030 6e4b 2637 0800 4500  .0nJ2D.0nK&7..E.
        0x0010:  003e 9939 4000 4011 3c27 10b5 a1f0 10b5  .>.9 at .@.<'......
        0x0020:  a1f4 e03b 0202 002a a76a 3c31 333e 4a61  ...;...*.j<13>Ja
        0x0030:  6e20 2039 2031 313a 3537 3a31 3320 726f  n..9.11:57:13.ro
        0x0040:  6f74 3a20 7465 7374 696e 6738            ot:.testing8

	Is this a bug on how syslogd sends the message or is it a syslog-ng logging problem?

Thanks,
Manu

P.S: Apologies for the long mail

More information about the syslog-ng mailing list