[syslog-ng] malformed syslog packets?

Matt Zagrabelny mzagrabe at d.umn.edu
Tue Aug 30 03:36:28 CEST 2011


On Mon, Aug 29, 2011 at 7:26 PM,  <syslogng at feystorm.net> wrote:
> Sent: Mon Aug 29 2011 17:10:19 GMT-0600 (MST)
> From: Matt Zagrabelny <mzagrabe at d.umn.edu>
> To: syslogng at feystorm.net "Syslog-ng users' and developers' mailing list"
> <syslog-ng at lists.balabit.hu>
> Subject: Re: [syslog-ng] malformed syslog packets?
>
> On Mon, Aug 29, 2011 at 5:10 PM,  <syslogng at feystorm.net> wrote:
>
> Sent: Mon Aug 29 2011 15:20:51 GMT-0600 (MST)
> From: Matt Zagrabelny <mzagrabe at d.umn.edu>
> To: Syslog-ng users' and developers' mailing list
> <syslog-ng at lists.balabit.hu>
> Subject: [syslog-ng] malformed syslog packets?
>
> Hi!
>
> I've got a central log server running the OSE 3.1.3 version of syslog-ng:
>
> dpkg -l syslog-ng
> Desired=Unknown/Install/Remove/Purge/Hold
> |
> Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name                                     Version
>                Description
> +++-========================================-========================================-================================================================================================
> ii  syslog-ng                                3.1.3-3
>                Next generation logging daemon
>
> I have dns lookup turned on via:
>
> options {
>   use_dns(yes);
>   dns_cache(2000);
>   dns_cache_expire(87600);
> };
>
> And this seems to work just fine...except for a certain type of device
> on our network.
>
> We have a number of UPSes that log to our central log server and it
> seems that the dns look ups do not work for those (types of devices).
>
> % cd /var/log/syslog-ng/remote_clients
> % ls -d 10.*
> 10.25.32.4  10.25.5.15  10.25.5.19  10.25.5.26  10.25.5.35  10.25.5.4
>  10.25.5.44  10.25.5.51  10.25.5.6   10.25.5.65  10.25.5.69
> 10.25.5.76
> 10.25.5.1   10.25.5.16  10.25.5.2   10.25.5.27  10.25.5.36  10.25.5.40
>  10.25.5.49  10.25.5.52  10.25.5.60  10.25.5.66  10.25.5.7
> 10.25.5.79
> 10.25.5.10  10.25.5.17  10.25.5.20  10.25.5.28  10.25.5.37  10.25.5.41
>  10.25.5.5   10.25.5.55  10.25.5.61  10.25.5.67  10.25.5.72
> 10.25.5.81
> 10.25.5.14  10.25.5.18  10.25.5.23  10.25.5.3   10.25.5.38  10.25.5.43
>  10.25.5.50  10.25.5.58  10.25.5.62  10.25.5.68  10.25.5.75  10.25.5.9
>
> When I look up those IP addresses, they are *all* APC batteries (UPSes).
>
> For instance:
>
> % dig -x 10.25.5.43 +short
> kplz246Abat1.d.umn.edu
> .
>
> Is it possible that they are sending some sort of munged data to the
> log server and syslog-ng is not able to perform the (reverse) name
> lookup?
>
> Any advice?
>
> What macro are you using for the file name?
>
> I believe $HOST.
>
> destination d_remote_clients {
>   file(
>        "/var/log/syslog-ng/remote_clients/$HOST/$YEAR/$MONTH/$DAY/$FACILITY"
>        owner(root)
>        group(root)
>        perm(0644)
>        dir_perm(0755)
>        create_dirs(yes)
>       );
> };
>
> -mz
>
>
> That would be the issue. You want $HOST_FROM

Super! I have tweaked the configs.

> From the user guide:
>
> HOST
>
> Description: The name of the source host where the message originates from.
> If the message traverses several hosts and the chain_hostnames() option is
> on, the first host in the chain is used. To use this macro, make sure that
> the keep_hostname() option is enabled.

Okay. However there is only one host in the chain:

APC UPS (udp 514)-> syslog_server

doesn't syslog-ng do (reverse) name lookups when using the HOST macro?

> HOST_FROM
>
> Description: Name of the host that sent the message to syslog-ng, as
> resolved by syslog-ng using DNS. If the message traverses several hosts,
> this is the last host in the chain. To use this macro, make sure that the
> keep_hostname() option is enabled.

Thanks again!

-mz


More information about the syslog-ng mailing list