[syslog-ng] syslog-ng loses hostname information on some syslog logs sent via UDP

Geller, Sandor (IT) Sandor.Geller at morganstanley.com
Fri Jan 9 08:02:46 CET 2009 

Hi,

>         I am running syslog-ng on a HP-UX server listening on
> UDP port 514. It is receiving logs from syslogd running on
> another server. For some messages syslog-ng does not log the
> hostname information found in the UDP packet. Rather, it
> mistakes some data in UDP as the hostname information.

Traditional syslogd doesn't send hostname, as clearly visible in
the tcpdump output you sent...

>         Here is the complete information.
>
> syslog-ng 2.0.9 on HP-UX. Syslogd on node01 sends logs to
> syslog-ng on node02.
>
>         The logs in node02 are,
>
> Jan  9 11:55:11 node01 root: testing1
> Jan  9 11:55:32 above message repeats 5 times
> Jan  9 11:55:32 node01 root: testing4
>
>         Notice that hostname is missing in the second message.
>         tcpdump on UDP port 514 for the above logs
>
>
> 11:57:26.183996 00:30:6e:4b:26:37 (oui Unknown) >
> 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800),
> length 76: (tos 0x0, ttl 64, id 39220, offset 0, flags [DF],
> proto UDP (17), length 62)
>     node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum
> ok] SYSLOG, length: 34
>         Facility user (1), Severity notice (5)
>         Msg: Jan  9 11:55:11 root: testing1
>         0x0000:  3c31 333e 4a61 6e20 2039 2031 313a 3535
>         0x0010:  3a31 3120 726f 6f74 3a20 7465 7374 696e
>         0x0020:  6731
>         0x0000:  0030 6e4a 3244 0030 6e4b 2637 0800 4500
> .0nJ2D.0nK&7..E.
>         0x0010:  003e 9934 4000 4011 3c2c 10b5 a1f0 10b5
> .>.4 at .@.<,......
>         0x0020:  a1f4 e03b 0202 002a a973 3c31 333e 4a61
> ...;...*.s<13>Ja
>         0x0030:  6e20 2039 2031 313a 3535 3a31 3120 726f
> n..9.11:55:11.ro
>         0x0040:  6f74 3a20 7465 7374 696e 6731            ot:.testing1

[ cut ]

>         Is this a bug on how syslogd sends the message or is
> it a syslog-ng logging problem?

To fix either install an RFC 3164-compliant syslog daemon on
the HP boxes, or use syslog-ng's bad_hostname() option. You
can specify a regexp like "^above", so when syslog-ng parses
the log and the regexp does match then syslog-ng will skip
hostname parsing.

Regards,

Sandor
--------------------------------------------------------

NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.

More information about the syslog-ng mailing list