[syslog-ng] malformed syslog packets?
Matt Zagrabelny
mzagrabe at d.umn.edu
Tue Aug 30 03:36:28 CEST 2011
On Mon, Aug 29, 2011 at 7:26 PM, <syslogng at feystorm.net> wrote:
> Sent: Mon Aug 29 2011 17:10:19 GMT-0600 (MST)
> From: Matt Zagrabelny <mzagrabe at d.umn.edu>
> To: syslogng at feystorm.net "Syslog-ng users' and developers' mailing list"
> <syslog-ng at lists.balabit.hu>
> Subject: Re: [syslog-ng] malformed syslog packets?
>
> On Mon, Aug 29, 2011 at 5:10 PM, <syslogng at feystorm.net> wrote:
>
> Sent: Mon Aug 29 2011 15:20:51 GMT-0600 (MST)
> From: Matt Zagrabelny <mzagrabe at d.umn.edu>
> To: Syslog-ng users' and developers' mailing list
> <syslog-ng at lists.balabit.hu>
> Subject: [syslog-ng] malformed syslog packets?
>
> Hi!
>
> I've got a central log server running the OSE 3.1.3 version of syslog-ng:
>
> dpkg -l syslog-ng
> Desired=Unknown/Install/Remove/Purge/Hold
> |
> Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name Version
> Description
> +++-========================================-========================================-================================================================================================
> ii syslog-ng 3.1.3-3
> Next generation logging daemon
>
> I have dns lookup turned on via:
>
> options {
> use_dns(yes);
> dns_cache(2000);
> dns_cache_expire(87600);
> };
>
> And this seems to work just fine...except for a certain type of device
> on our network.
>
> We have a number of UPSes that log to our central log server and it
> seems that the dns look ups do not work for those (types of devices).
>
> % cd /var/log/syslog-ng/remote_clients
> % ls -d 10.*
> 10.25.32.4 10.25.5.15 10.25.5.19 10.25.5.26 10.25.5.35 10.25.5.4
> 10.25.5.44 10.25.5.51 10.25.5.6 10.25.5.65 10.25.5.69
> 10.25.5.76
> 10.25.5.1 10.25.5.16 10.25.5.2 10.25.5.27 10.25.5.36 10.25.5.40
> 10.25.5.49 10.25.5.52 10.25.5.60 10.25.5.66 10.25.5.7
> 10.25.5.79
> 10.25.5.10 10.25.5.17 10.25.5.20 10.25.5.28 10.25.5.37 10.25.5.41
> 10.25.5.5 10.25.5.55 10.25.5.61 10.25.5.67 10.25.5.72
> 10.25.5.81
> 10.25.5.14 10.25.5.18 10.25.5.23 10.25.5.3 10.25.5.38 10.25.5.43
> 10.25.5.50 10.25.5.58 10.25.5.62 10.25.5.68 10.25.5.75 10.25.5.9
>
> When I look up those IP addresses, they are *all* APC batteries (UPSes).
>
> For instance:
>
> % dig -x 10.25.5.43 +short
> kplz246Abat1.d.umn.edu
> .
>
> Is it possible that they are sending some sort of munged data to the
> log server and syslog-ng is not able to perform the (reverse) name
> lookup?
>
> Any advice?
>
> What macro are you using for the file name?
>
> I believe $HOST.
>
> destination d_remote_clients {
> file(
> "/var/log/syslog-ng/remote_clients/$HOST/$YEAR/$MONTH/$DAY/$FACILITY"
> owner(root)
> group(root)
> perm(0644)
> dir_perm(0755)
> create_dirs(yes)
> );
> };
>
> -mz
>
>
> That would be the issue. You want $HOST_FROM
Super! I have tweaked the configs.
> From the user guide:
>
> HOST
>
> Description: The name of the source host where the message originates from.
> If the message traverses several hosts and the chain_hostnames() option is
> on, the first host in the chain is used. To use this macro, make sure that
> the keep_hostname() option is enabled.
Okay. However there is only one host in the chain:
APC UPS (udp 514)-> syslog_server
doesn't syslog-ng do (reverse) name lookups when using the HOST macro?
> HOST_FROM
>
> Description: Name of the host that sent the message to syslog-ng, as
> resolved by syslog-ng using DNS. If the message traverses several hosts,
> this is the last host in the chain. To use this macro, make sure that the
> keep_hostname() option is enabled.
Thanks again!
-mz
More information about the syslog-ng
mailing list