[syslog-ng] malformed syslog packets?
syslogng at feystorm.net
syslogng at feystorm.net
Tue Aug 30 02:26:49 CEST 2011
Sent: Mon Aug 29 2011 17:10:19 GMT-0600 (MST)
From: Matt Zagrabelny <mzagrabe at d.umn.edu>
To: syslogng at feystorm.net "Syslog-ng users' and developers' mailing
list" <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] malformed syslog packets?
> On Mon, Aug 29, 2011 at 5:10 PM,<syslogng at feystorm.net> wrote:
>>
>> Sent: Mon Aug 29 2011 15:20:51 GMT-0600 (MST)
>> From: Matt Zagrabelny<mzagrabe at d.umn.edu>
>> To: Syslog-ng users' and developers' mailing list
>> <syslog-ng at lists.balabit.hu>
>> Subject: [syslog-ng] malformed syslog packets?
>>
>> Hi!
>>
>> I've got a central log server running the OSE 3.1.3 version of syslog-ng:
>>
>> dpkg -l syslog-ng
>> Desired=Unknown/Install/Remove/Purge/Hold
>> |
>> Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
>> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
>> ||/ Name Version
>> Description
>> +++-========================================-========================================-================================================================================================
>> ii syslog-ng 3.1.3-3
>> Next generation logging daemon
>>
>> I have dns lookup turned on via:
>>
>> options {
>> use_dns(yes);
>> dns_cache(2000);
>> dns_cache_expire(87600);
>> };
>>
>> And this seems to work just fine...except for a certain type of device
>> on our network.
>>
>> We have a number of UPSes that log to our central log server and it
>> seems that the dns look ups do not work for those (types of devices).
>>
>> % cd /var/log/syslog-ng/remote_clients
>> % ls -d 10.*
>> 10.25.32.4 10.25.5.15 10.25.5.19 10.25.5.26 10.25.5.35 10.25.5.4
>> 10.25.5.44 10.25.5.51 10.25.5.6 10.25.5.65 10.25.5.69
>> 10.25.5.76
>> 10.25.5.1 10.25.5.16 10.25.5.2 10.25.5.27 10.25.5.36 10.25.5.40
>> 10.25.5.49 10.25.5.52 10.25.5.60 10.25.5.66 10.25.5.7
>> 10.25.5.79
>> 10.25.5.10 10.25.5.17 10.25.5.20 10.25.5.28 10.25.5.37 10.25.5.41
>> 10.25.5.5 10.25.5.55 10.25.5.61 10.25.5.67 10.25.5.72
>> 10.25.5.81
>> 10.25.5.14 10.25.5.18 10.25.5.23 10.25.5.3 10.25.5.38 10.25.5.43
>> 10.25.5.50 10.25.5.58 10.25.5.62 10.25.5.68 10.25.5.75 10.25.5.9
>>
>> When I look up those IP addresses, they are *all* APC batteries (UPSes).
>>
>> For instance:
>>
>> % dig -x 10.25.5.43 +short
>> kplz246Abat1.d.umn.edu
>> .
>>
>> Is it possible that they are sending some sort of munged data to the
>> log server and syslog-ng is not able to perform the (reverse) name
>> lookup?
>>
>> Any advice?
>>
>> What macro are you using for the file name?
>>
> I believe $HOST.
>
> destination d_remote_clients {
> file(
> "/var/log/syslog-ng/remote_clients/$HOST/$YEAR/$MONTH/$DAY/$FACILITY"
> owner(root)
> group(root)
> perm(0644)
> dir_perm(0755)
> create_dirs(yes)
> );
> };
>
> -mz
That would be the issue. You want $HOST_FROM
From the user guide:
HOST
*Description:* The name of the source host where the message originates
from. If the message traverses several hosts and the
/|chain_hostnames()|/
<http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/index.html-single.html#option_chain_hostnames>
option is on, the first host in the chain is used. To use this macro,
make sure that the /|keep_hostname()|/ option is enabled.
HOST_FROM
*Description:* Name of the host that sent the message to syslog-ng, as
resolved by syslog-ng using DNS. If the message traverses several hosts,
this is the last host in the chain. To use this macro, make sure that
the /|keep_hostname()|/ option is enabled.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110829/d93fd2f2/attachment-0001.htm
More information about the syslog-ng
mailing list