[syslog-ng] Syslog-NG interpreting Cisco message 'count' number as $Program
Patrick Smith
patrick at Paypros.com
Wed Oct 21 22:01:27 CEST 2009
Hi all, wondering if anyone is familiar with this issue. Have several
Cisco switches logging to a syslog-ng server. The syslog-ng server
creates a new file for every message as it is interpreting the 'count'
item added by the switch as the $program. My configs as follows to
demonstrate what I mean:
Syslog-ng.conf:
destination d_all {
file("/var/log/syslog-ng/$HOST/$PROGRAM-$YEAR-$MONTH-$DAY.log");
};
* This has always worked for me before and creates logs for each
host with the program prefixed (e.g. snmp-date...,
ssl_access_log-date...)
But for Cisco switches it writes a new logfile for every message, with
the Cisco message number (i.e. log count #) prepended. E.g., for a 6509
switch:
-rw-r--r-- 1 syslog-ng wheel 165 Oct 21 11:51 1655156-2009-10-21.log
-rw-r--r-- 1 syslog-ng wheel 168 Oct 21 11:51 1655157-2009-10-21.log
-rw-r--r-- 1 syslog-ng wheel 147 Oct 21 11:51 1655158-2009-10-21.log
-rw-r--r-- 1 syslog-ng wheel 150 Oct 21 11:51 1655159-2009-10-21.log
-rw-r--r-- 1 syslog-ng wheel 154 Oct 21 11:52 1655160-2009-10-21.log
* where 16551xx is the count of the log message on the switch
And each of those files contains one log message, e.g.
syslog-ng # cat 1655156-2009-10-21.log
Oct 21 11:51:15 6509switch1 1655156: Oct 21 18:51:14.922:
%LINK-5-CHANGED: Interface GigabitEthernet3/35, changed state to
administratively down
For reference the logging on the switches are set as:
6509s:
service timestamps log datetime msec
logging buffered 20000 debugging
logging rate-limit 1000
log-adjacency-changes
logging <syslog host IP>
logging synchronous
2960s:
service timestamps log uptime
logging buffered 20000
logging <syslog host IP>
logging synchronous
I'm thinking I could have a separate destination statement to properly
deal with these but I'm wondering if there's any other steps I can take
to mitigate it. I have several Cisco firewalls logging to syslog-ng and
they do not have the same issue.
Thanks for any help.
IMPORTANT NOTICE
THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer. Learn more about Payment Processing's services at www.paypros.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091021/03714c22/attachment.htm
More information about the syslog-ng
mailing list