[syslog-ng] Specific log messages have wrong hostname

Christopher Jon Caldwell caldwell at gwu.edu
Fri Mar 12 19:02:30 CET 2010 

All of the syslog messages sent by our Solaris servers that contain output from the service processor are getting the wrong hostname assigned to them - the log messages get filed under the hostname of the receiving syslog-ng server. They all share the same process name "SC Alert". The packets look correctly formed so I am assuming it is the space in the process name. Any way to fix this without dropping the messages completely using something like bad_hostname? We are running 2.1.11a Enterprise Edition.

Here is the relevant part of my syslog-ng.conf:

options { 
    sync (0);
    create_dirs (yes);
    keep_hostname (yes);
    check_hostname (yes);
    chain_hostnames (no);
    bad_hostname ("\t");
    normalize_hostnames (yes);
    mark_freq (10);
    };

source src_net {
    udp(port(514));
    };

destination d_hosts { 
    file("/var/log/systems/$HOST_FROM/$FACILITY/$YEAR/$MONTH/$FACILITY\-$YEAR$MONTH$DAY" perm(0644) dir_perm(0755) create_dirs(yes));

...

log { source(src_net); destination(d_hosts); destination(d_splunk); flags(fallback); };

And here is an example packet from snoop.

ETHER:  ----- Ether Header -----
ETHER:  
ETHER:  Packet 36 arrived at 12:09:18.28026
ETHER:  Packet size = 169 bytes
ETHER:  Destination = 0:3:ba:71:22:65, 
ETHER:  Source      = 0:21:28:4:ec:b7, 
ETHER:  Ethertype = 0800 (IP)
ETHER:  
IP:   ----- IP Header -----
IP:   
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:         .... ..0. = not ECN capable transport
IP:         .... ...0 = no ECN congestion experienced
IP:   Total length = 155 bytes
IP:   Identification = 25576
IP:   Flags = 0x4
IP:         .1.. .... = do not fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 255 seconds/hops
IP:   Protocol = 17 (UDP)
IP:   Header checksum = f267
IP:   Source address = 10.244.236.183, vienna
IP:   Destination address = 10.241.34.101, auctor.backup.es.gwu.edu
IP:   No options
IP:   
UDP:  ----- UDP Header -----
UDP:  
UDP:  Source port = 32832
UDP:  Destination port = 514 (SYSLOG)
UDP:  Length = 135 
UDP:  Checksum = F5D8 
UDP:  
SYSLOG:  ----- SYSLOG:   -----
SYSLOG:  
SYSLOG:  Priority: <29> (daemon.notice)
SYSLOG:  "<29>Mar 12 12:09:18 SC Alert: [ID 362536 daemon.notice] Audi"
SYSLOG:  



--
Christopher Caldwell

Senior Engineer, Technology Operations and Engineering
The George Washington University
caldwell @ gwu . edu | +1 202.994.4674 (w) | +1 202.409.0878 (c)
PGP key ID: 0x0A0EC46C

"Quis custodiet ipsos custodes?" - Juvenal

More information about the syslog-ng mailing list