[syslog-ng] Syslog-NG interpreting Cisco message 'count' number as $Program

Patrick Smith patrick at Paypros.com
Wed Oct 21 22:01:27 CEST 2009 

Hi all, wondering if anyone is familiar with this issue.  Have several
Cisco switches logging to a syslog-ng server.  The syslog-ng server
creates a new file for every message as it is interpreting the 'count'
item added by the switch as the $program.  My configs as follows to
demonstrate what I mean:

 

Syslog-ng.conf:

 

destination d_all {

        file("/var/log/syslog-ng/$HOST/$PROGRAM-$YEAR-$MONTH-$DAY.log");

};

 

*	This has always worked for me before and creates logs for each
host with the program prefixed (e.g. snmp-date...,
ssl_access_log-date...)

 

But for Cisco switches it writes a new logfile for every message, with
the Cisco message number (i.e. log count #) prepended.  E.g., for a 6509
switch:

 

-rw-r--r-- 1 syslog-ng wheel 165 Oct 21 11:51 1655156-2009-10-21.log

-rw-r--r-- 1 syslog-ng wheel 168 Oct 21 11:51 1655157-2009-10-21.log

-rw-r--r-- 1 syslog-ng wheel 147 Oct 21 11:51 1655158-2009-10-21.log

-rw-r--r-- 1 syslog-ng wheel 150 Oct 21 11:51 1655159-2009-10-21.log

-rw-r--r-- 1 syslog-ng wheel 154 Oct 21 11:52 1655160-2009-10-21.log

* where 16551xx is the count of the log message on the switch

 

And each of those files contains one log message, e.g.

 

syslog-ng # cat 1655156-2009-10-21.log

Oct 21 11:51:15 6509switch1 1655156: Oct 21 18:51:14.922:
%LINK-5-CHANGED: Interface GigabitEthernet3/35, changed state to
administratively down

 

For reference the logging on the switches are set as:

6509s:

service timestamps log datetime msec

logging buffered 20000 debugging

logging rate-limit 1000

log-adjacency-changes

logging <syslog host IP>

logging synchronous

 

2960s:

service timestamps log uptime

logging buffered 20000

logging <syslog host IP>

logging synchronous

 

I'm thinking I could have a separate destination statement to properly
deal with these but I'm wondering if there's any other steps I can take
to mitigate it.  I have several Cisco firewalls logging to syslog-ng and
they do not have the same issue.

 

Thanks for any help.
IMPORTANT NOTICE

THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer. Learn more about Payment Processing's services at www.paypros.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091021/03714c22/attachment.htm

More information about the syslog-ng mailing list