[syslog-ng] syslog-ng loses hostname information on some syslog logs sent via UDP

Balazs Scheidler bazsi at balabit.hu
Fri Jan 9 19:04:14 CET 2009 

On Fri, 2009-01-09 at 07:02 +0000, Geller, Sandor (IT) wrote:
> Hi,
> 
> >         I am running syslog-ng on a HP-UX server listening on
> > UDP port 514. It is receiving logs from syslogd running on
> > another server. For some messages syslog-ng does not log the
> > hostname information found in the UDP packet. Rather, it
> > mistakes some data in UDP as the hostname information.
> 
> Traditional syslogd doesn't send hostname, as clearly visible in
> the tcpdump output you sent...
> 
> >         Here is the complete information.
> >
> > syslog-ng 2.0.9 on HP-UX. Syslogd on node01 sends logs to
> > syslog-ng on node02.
> >
> >         The logs in node02 are,
> >
> > Jan  9 11:55:11 node01 root: testing1
> > Jan  9 11:55:32 above message repeats 5 times
> > Jan  9 11:55:32 node01 root: testing4
> >
> >         Notice that hostname is missing in the second message.
> >         tcpdump on UDP port 514 for the above logs
> >
> >
> > 11:57:26.183996 00:30:6e:4b:26:37 (oui Unknown) >
> > 00:30:6e:4a:32:44 (oui Unknown), ethertype IPv4 (0x0800),
> > length 76: (tos 0x0, ttl 64, id 39220, offset 0, flags [DF],
> > proto UDP (17), length 62)
> >     node01.xxx.com.57403 > node02.xxx.com.syslog: [udp sum
> > ok] SYSLOG, length: 34
> >         Facility user (1), Severity notice (5)
> >         Msg: Jan  9 11:55:11 root: testing1
> >         0x0000:  3c31 333e 4a61 6e20 2039 2031 313a 3535
> >         0x0010:  3a31 3120 726f 6f74 3a20 7465 7374 696e
> >         0x0020:  6731
> >         0x0000:  0030 6e4a 3244 0030 6e4b 2637 0800 4500
> > .0nJ2D.0nK&7..E.
> >         0x0010:  003e 9934 4000 4011 3c2c 10b5 a1f0 10b5
> > .>.4 at .@.<,......
> >         0x0020:  a1f4 e03b 0202 002a a973 3c31 333e 4a61
> > ...;...*.s<13>Ja
> >         0x0030:  6e20 2039 2031 313a 3535 3a31 3120 726f
> > n..9.11:55:11.ro
> >         0x0040:  6f74 3a20 7465 7374 696e 6731            ot:.testing1
> 
> [ cut ]
> 
> >         Is this a bug on how syslogd sends the message or is
> > it a syslog-ng logging problem?
> 
> To fix either install an RFC 3164-compliant syslog daemon on
> the HP boxes, or use syslog-ng's bad_hostname() option. You
> can specify a regexp like "^above", so when syslog-ng parses
> the log and the regexp does match then syslog-ng will skip
> hostname parsing.

The bigger problem is that _some_ syslogds send hostname, others don't.
And this can happen on the _same_ listener.

bad_hostnames() is one option, but this could probably also be resolved
using the rewrite features of syslog-ng 3.0.

-- 
Bazsi

More information about the syslog-ng mailing list