[syslog-ng] Syslog-NG interpreting Cisco message 'count' number as $Program

Wed Oct 21 22:07:30 CEST 2009

Those are sequence numbers - you can disable them on the switch by
typing "no service sequence-numbers" in global config mode.

On Wed, Oct 21, 2009 at 4:01 PM, Patrick Smith <patrick at paypros.com> wrote:
> Hi all, wondering if anyone is familiar with this issue.  Have several Cisco
> switches logging to a syslog-ng server.  The syslog-ng server creates a new
> file for every message as it is interpreting the ‘count’ item added by the
> switch as the $program.  My configs as follows to demonstrate what I mean:
>
>
>
> Syslog-ng.conf:
>
>
>
> destination d_all {
>
>         file("/var/log/syslog-ng/$HOST/$PROGRAM-$YEAR-$MONTH-$DAY.log");
>
> };
>
>
>
> This has always worked for me before and creates logs for each host with the
> program prefixed (e.g. snmp-date…, ssl_access_log-date…)
>
>
>
> But for Cisco switches it writes a new logfile for every message, with the
> Cisco message number (i.e. log count #) prepended.  E.g., for a 6509 switch:
>
>
>
> -rw-r--r-- 1 syslog-ng wheel 165 Oct 21 11:51 1655156-2009-10-21.log
>
> -rw-r--r-- 1 syslog-ng wheel 168 Oct 21 11:51 1655157-2009-10-21.log
>
> -rw-r--r-- 1 syslog-ng wheel 147 Oct 21 11:51 1655158-2009-10-21.log
>
> -rw-r--r-- 1 syslog-ng wheel 150 Oct 21 11:51 1655159-2009-10-21.log
>
> -rw-r--r-- 1 syslog-ng wheel 154 Oct 21 11:52 1655160-2009-10-21.log
>
> * where 16551xx is the count of the log message on the switch
>
>
>
> And each of those files contains one log message, e.g.
>
>
>
> syslog-ng # cat 1655156-2009-10-21.log
>
> Oct 21 11:51:15 6509switch1 1655156: Oct 21 18:51:14.922: %LINK-5-CHANGED:
> Interface GigabitEthernet3/35, changed state to administratively down
>
>
>
> For reference the logging on the switches are set as:
>
> 6509s:
>
> service timestamps log datetime msec
>
> logging buffered 20000 debugging
>
> logging rate-limit 1000
>
> log-adjacency-changes
>
> logging <syslog host IP>
>
> logging synchronous
>
>
>
> 2960s:
>
> service timestamps log uptime
>
> logging buffered 20000
>
> logging <syslog host IP>
>
> logging synchronous
>
>
>
> I’m thinking I could have a separate destination statement to properly deal
> with these but I’m wondering if there’s any other steps I can take to
> mitigate it.  I have several Cisco firewalls logging to syslog-ng and they
> do not have the same issue.
>
>
>
> Thanks for any help.
>
>
>
> IMPORTANT NOTICE
>
> THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are
> proprietary and confidential information intended only for the use of the
> recipient(s) named above. If you are not the intended recipient, you may not
> print, distribute, or copy this message or any attachments. If you have
> received this communication in error, please notify the sender by return
> e-mail and delete this message and any attachments from your computer. Learn
> more about Payment Processing's services at www.paypros.com.
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>

-- 
______________________________________________________________

Clayton Dukes
______________________________________________________________