[syslog-ng] Wrong hostname on syslog-messages.

Christopher Jon Caldwell caldwell at gwu.edu
Fri Mar 12 21:19:15 CET 2010 

All of the syslog messages sent by our Solaris servers that contain output from the service processor are getting the wrong hostname assigned to them - the log messages get filed under the hostname of the receiving syslog-ng server. Our second syslog-ng server is correctly identifying the hostname with the same configuration. We are running 2.1.11a Enterprise Edition.

Here is the relevant part of my syslog-ng.conf:

options { 
   sync (0);
   create_dirs (yes);
   keep_hostname (no);
   check_hostname (yes);
   chain_hostnames (no);
   bad_hostname ("\t");
   normalize_hostnames (yes);
   mark_freq (10);
   };

source src_net {
   udp(port(514));
   };

destination d_hosts { 
   file("/var/log/systems/$HOST_FROM/$FACILITY/$YEAR/$MONTH/$FACILITY\-$YEAR$MONTH$DAY" perm(0644) dir_perm(0755) create_dirs(yes));

...

log { source(src_net); destination(d_hosts); destination(d_splunk); flags(fallback); };

And here is an example packet from snoop.

ETHER:  ----- Ether Header -----
ETHER:  
ETHER:  Packet 36 arrived at 12:09:18.28026
ETHER:  Packet size = 169 bytes
ETHER:  Destination = 0:3:ba:71:22:65, 
ETHER:  Source      = 0:21:28:4:ec:b7, 
ETHER:  Ethertype = 0800 (IP)
ETHER:  
IP:   ----- IP Header -----
IP:   
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:         .... ..0. = not ECN capable transport
IP:         .... ...0 = no ECN congestion experienced
IP:   Total length = 155 bytes
IP:   Identification = 25576
IP:   Flags = 0x4
IP:         .1.. .... = do not fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 255 seconds/hops
IP:   Protocol = 17 (UDP)
IP:   Header checksum = f267
IP:   Source address = 10.244.236.183, vienna
IP:   Destination address = 10.241.34.101, auctor.backup.es.gwu.edu
IP:   No options
IP:   
UDP:  ----- UDP Header -----
UDP:  
UDP:  Source port = 32832
UDP:  Destination port = 514 (SYSLOG)
UDP:  Length = 135 
UDP:  Checksum = F5D8 
UDP:  
SYSLOG:  ----- SYSLOG:   -----
SYSLOG:  
SYSLOG:  Priority: <29> (daemon.notice)
SYSLOG:  "<29>Mar 12 12:09:18 SC Alert: [ID 362536 daemon.notice] Audi"
SYSLOG:  

--
Christopher Caldwell

Senior Engineer, Technology Operations and Engineering
The George Washington University
caldwell @ gwu . edu | +1 202.994.4674 (w) | +1 202.409.0878 (c)
PGP key ID: 0x0A0EC46C

"Quis custodiet ipsos custodes?" - Juvenal

More information about the syslog-ng mailing list