[syslog-ng] malformed syslog packets?

syslogng at feystorm.net syslogng at feystorm.net
Tue Aug 30 00:10:46 CEST 2011 


Sent: Mon Aug 29 2011 15:20:51 GMT-0600 (MST)
From: Matt Zagrabelny <mzagrabe at d.umn.edu>
To: Syslog-ng users' and developers' mailing list 
<syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] malformed syslog packets?
> Hi!
>
> I've got a central log server running the OSE 3.1.3 version of syslog-ng:
>
> dpkg -l syslog-ng
> Desired=Unknown/Install/Remove/Purge/Hold
> | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name                                     Version
>                 Description
> +++-========================================-========================================-================================================================================================
> ii  syslog-ng                                3.1.3-3
>                 Next generation logging daemon
>
> I have dns lookup turned on via:
>
> options {
>    use_dns(yes);
>    dns_cache(2000);
>    dns_cache_expire(87600);
> };
>
> And this seems to work just fine...except for a certain type of device
> on our network.
>
> We have a number of UPSes that log to our central log server and it
> seems that the dns look ups do not work for those (types of devices).
>
> % cd /var/log/syslog-ng/remote_clients
> % ls -d 10.*
> 10.25.32.4  10.25.5.15  10.25.5.19  10.25.5.26  10.25.5.35  10.25.5.4
>   10.25.5.44  10.25.5.51  10.25.5.6   10.25.5.65  10.25.5.69
> 10.25.5.76
> 10.25.5.1   10.25.5.16  10.25.5.2   10.25.5.27  10.25.5.36  10.25.5.40
>   10.25.5.49  10.25.5.52  10.25.5.60  10.25.5.66  10.25.5.7
> 10.25.5.79
> 10.25.5.10  10.25.5.17  10.25.5.20  10.25.5.28  10.25.5.37  10.25.5.41
>   10.25.5.5   10.25.5.55  10.25.5.61  10.25.5.67  10.25.5.72
> 10.25.5.81
> 10.25.5.14  10.25.5.18  10.25.5.23  10.25.5.3   10.25.5.38  10.25.5.43
>   10.25.5.50  10.25.5.58  10.25.5.62  10.25.5.68  10.25.5.75  10.25.5.9
>
> When I look up those IP addresses, they are *all* APC batteries (UPSes).
>
> For instance:
>
> % dig -x 10.25.5.43 +short
> kplz246Abat1.d.umn.edu.
>
> Is it possible that they are sending some sort of munged data to the
> log server and syslog-ng is not able to perform the (reverse) name
> lookup?
>
> Any advice?
>
> Thanks, much!
>
> -Matt Zagrabelny
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>

What macro are you using for the file name?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110829/f82f5c25/attachment.htm

More information about the syslog-ng mailing list