[syslog-ng] Specific log messages have wrong hostname
Fekete Róbert
frobert at balabit.hu
Sun Mar 14 20:01:28 CET 2010
Hi,
I am unsure how to fix this on version 2.x (which does not mean that it cannot be done), but versions 3.0.x have an option called host-override for such cases.
Regards,
Robert
On Friday, March 12, 2010 19:02 CET, Christopher Jon Caldwell <caldwell at gwu.edu> wrote:
> All of the syslog messages sent by our Solaris servers that contain output from the service processor are getting the wrong hostname assigned to them - the log messages get filed under the hostname of the receiving syslog-ng server. They all share the same process name "SC Alert". The packets look correctly formed so I am assuming it is the space in the process name. Any way to fix this without dropping the messages completely using something like bad_hostname? We are running 2.1.11a Enterprise Edition.
>
> Here is the relevant part of my syslog-ng.conf:
>
> options {
> sync (0);
> create_dirs (yes);
> keep_hostname (yes);
> check_hostname (yes);
> chain_hostnames (no);
> bad_hostname ("\t");
> normalize_hostnames (yes);
> mark_freq (10);
> };
>
> source src_net {
> udp(port(514));
> };
>
> destination d_hosts {
> file("/var/log/systems/$HOST_FROM/$FACILITY/$YEAR/$MONTH/$FACILITY\-$YEAR$MONTH$DAY" perm(0644) dir_perm(0755) create_dirs(yes));
>
> ...
>
> log { source(src_net); destination(d_hosts); destination(d_splunk); flags(fallback); };
>
> And here is an example packet from snoop.
>
> ETHER: ----- Ether Header -----
> ETHER:
> ETHER: Packet 36 arrived at 12:09:18.28026
> ETHER: Packet size = 169 bytes
> ETHER: Destination = 0:3:ba:71:22:65,
> ETHER: Source = 0:21:28:4:ec:b7,
> ETHER: Ethertype = 0800 (IP)
> ETHER:
> IP: ----- IP Header -----
> IP:
> IP: Version = 4
> IP: Header length = 20 bytes
> IP: Type of service = 0x00
> IP: xxx. .... = 0 (precedence)
> IP: ...0 .... = normal delay
> IP: .... 0... = normal throughput
> IP: .... .0.. = normal reliability
> IP: .... ..0. = not ECN capable transport
> IP: .... ...0 = no ECN congestion experienced
> IP: Total length = 155 bytes
> IP: Identification = 25576
> IP: Flags = 0x4
> IP: .1.. .... = do not fragment
> IP: ..0. .... = last fragment
> IP: Fragment offset = 0 bytes
> IP: Time to live = 255 seconds/hops
> IP: Protocol = 17 (UDP)
> IP: Header checksum = f267
> IP: Source address = 10.244.236.183, vienna
> IP: Destination address = 10.241.34.101, auctor.backup.es.gwu.edu
> IP: No options
> IP:
> UDP: ----- UDP Header -----
> UDP:
> UDP: Source port = 32832
> UDP: Destination port = 514 (SYSLOG)
> UDP: Length = 135
> UDP: Checksum = F5D8
> UDP:
> SYSLOG: ----- SYSLOG: -----
> SYSLOG:
> SYSLOG: Priority: <29> (daemon.notice)
> SYSLOG: "<29>Mar 12 12:09:18 SC Alert: [ID 362536 daemon.notice] Audi"
> SYSLOG:
>
>
>
> --
> Christopher Caldwell
>
> Senior Engineer, Technology Operations and Engineering
> The George Washington University
> caldwell @ gwu . edu | +1 202.994.4674 (w) | +1 202.409.0878 (c)
> PGP key ID: 0x0A0EC46C
>
> "Quis custodiet ipsos custodes?" - Juvenal
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
More information about the syslog-ng
mailing list