[syslog-ng] Syslog-NG interpreting Cisco message 'count' numberas $Program

Patrick Smith patrick at Paypros.com
Wed Oct 21 23:06:05 CEST 2009 

Thought that might be it but doesn't seem to be.  The sequence number is not present in the logs sent to the console or the buffer and not present when I open the files that are created on the syslog-ng side.  They are only present in the filename that gets created for logs coming from the Cisco switches.

I tried the 'no service sequence-numbers' on one of the access switches to be sure and did a shut/no shut on an unused port.  Still logged the same way on the syslog-ng server.

Patrick Smith | Systems Administrator | Payment Processing, Inc.
604.609.0619 x7023 ofc | 604.609.0619 fx
www.paypros.com

-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Clayton Dukes
Sent: Wednesday, October 21, 2009 1:08 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Syslog-NG interpreting Cisco message 'count' numberas $Program

Those are sequence numbers - you can disable them on the switch by
typing "no service sequence-numbers" in global config mode.


On Wed, Oct 21, 2009 at 4:01 PM, Patrick Smith <patrick at paypros.com> wrote:
> Hi all, wondering if anyone is familiar with this issue.  Have several Cisco
> switches logging to a syslog-ng server.  The syslog-ng server creates a new
> file for every message as it is interpreting the 'count' item added by the
> switch as the $program.  My configs as follows to demonstrate what I mean:
>
>
>
> Syslog-ng.conf:
>
>
>
> destination d_all {
>
>         file("/var/log/syslog-ng/$HOST/$PROGRAM-$YEAR-$MONTH-$DAY.log");
>
> };
>
>
>
> This has always worked for me before and creates logs for each host with the
> program prefixed (e.g. snmp-date..., ssl_access_log-date...)
>
>
>
> But for Cisco switches it writes a new logfile for every message, with the
> Cisco message number (i.e. log count #) prepended.  E.g., for a 6509 switch:
>
>
>
> -rw-r--r-- 1 syslog-ng wheel 165 Oct 21 11:51 1655156-2009-10-21.log
>
> -rw-r--r-- 1 syslog-ng wheel 168 Oct 21 11:51 1655157-2009-10-21.log
>
> -rw-r--r-- 1 syslog-ng wheel 147 Oct 21 11:51 1655158-2009-10-21.log
>
> -rw-r--r-- 1 syslog-ng wheel 150 Oct 21 11:51 1655159-2009-10-21.log
>
> -rw-r--r-- 1 syslog-ng wheel 154 Oct 21 11:52 1655160-2009-10-21.log
>
> * where 16551xx is the count of the log message on the switch
>
>
>
> And each of those files contains one log message, e.g.
>
>
>
> syslog-ng # cat 1655156-2009-10-21.log
>
> Oct 21 11:51:15 6509switch1 1655156: Oct 21 18:51:14.922: %LINK-5-CHANGED:
> Interface GigabitEthernet3/35, changed state to administratively down
>
>
>
> For reference the logging on the switches are set as:
>
> 6509s:
>
> service timestamps log datetime msec
>
> logging buffered 20000 debugging
>
> logging rate-limit 1000
>
> log-adjacency-changes
>
> logging <syslog host IP>
>
> logging synchronous
>
>
>
> 2960s:
>
> service timestamps log uptime
>
> logging buffered 20000
>
> logging <syslog host IP>
>
> logging synchronous
>
>
>
> I'm thinking I could have a separate destination statement to properly deal
> with these but I'm wondering if there's any other steps I can take to
> mitigate it.  I have several Cisco firewalls logging to syslog-ng and they
> do not have the same issue.
>
>
>
> Thanks for any help.
>
>
>
> IMPORTANT NOTICE
>
> THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are
> proprietary and confidential information intended only for the use of the
> recipient(s) named above. If you are not the intended recipient, you may not
> print, distribute, or copy this message or any attachments. If you have
> received this communication in error, please notify the sender by return
> e-mail and delete this message and any attachments from your computer. Learn
> more about Payment Processing's services at www.paypros.com.
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>



-- 
______________________________________________________________

Clayton Dukes
______________________________________________________________
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
IMPORTANT NOTICE

THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer. Learn more about Payment Processing's services at www.paypros.com.

More information about the syslog-ng mailing list