[syslog-ng] Specific log messages have wrong hostname
Christopher Jon Caldwell
caldwell at gwu.edu
Fri Mar 12 19:02:30 CET 2010
All of the syslog messages sent by our Solaris servers that contain output from the service processor are getting the wrong hostname assigned to them - the log messages get filed under the hostname of the receiving syslog-ng server. They all share the same process name "SC Alert". The packets look correctly formed so I am assuming it is the space in the process name. Any way to fix this without dropping the messages completely using something like bad_hostname? We are running 2.1.11a Enterprise Edition.
Here is the relevant part of my syslog-ng.conf:
options {
sync (0);
create_dirs (yes);
keep_hostname (yes);
check_hostname (yes);
chain_hostnames (no);
bad_hostname ("\t");
normalize_hostnames (yes);
mark_freq (10);
};
source src_net {
udp(port(514));
};
destination d_hosts {
file("/var/log/systems/$HOST_FROM/$FACILITY/$YEAR/$MONTH/$FACILITY\-$YEAR$MONTH$DAY" perm(0644) dir_perm(0755) create_dirs(yes));
...
log { source(src_net); destination(d_hosts); destination(d_splunk); flags(fallback); };
And here is an example packet from snoop.
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 36 arrived at 12:09:18.28026
ETHER: Packet size = 169 bytes
ETHER: Destination = 0:3:ba:71:22:65,
ETHER: Source = 0:21:28:4:ec:b7,
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = not ECN capable transport
IP: .... ...0 = no ECN congestion experienced
IP: Total length = 155 bytes
IP: Identification = 25576
IP: Flags = 0x4
IP: .1.. .... = do not fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 255 seconds/hops
IP: Protocol = 17 (UDP)
IP: Header checksum = f267
IP: Source address = 10.244.236.183, vienna
IP: Destination address = 10.241.34.101, auctor.backup.es.gwu.edu
IP: No options
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 32832
UDP: Destination port = 514 (SYSLOG)
UDP: Length = 135
UDP: Checksum = F5D8
UDP:
SYSLOG: ----- SYSLOG: -----
SYSLOG:
SYSLOG: Priority: <29> (daemon.notice)
SYSLOG: "<29>Mar 12 12:09:18 SC Alert: [ID 362536 daemon.notice] Audi"
SYSLOG:
--
Christopher Caldwell
Senior Engineer, Technology Operations and Engineering
The George Washington University
caldwell @ gwu . edu | +1 202.994.4674 (w) | +1 202.409.0878 (c)
PGP key ID: 0x0A0EC46C
"Quis custodiet ipsos custodes?" - Juvenal
More information about the syslog-ng
mailing list