[syslog-ng] AIX Syslog Messages
Ricardo Oliveira
n3g4s at hotmail.com
Wed Jul 6 12:46:34 CEST 2011
Hi,
Thanks for your reply.
I did, but it still keeps the IP address, so I removed it.
These are my options:
long_hostnames(off);
# doesn't actually help on Solaris, log(3) truncates at 1024 chars
log_msg_size(8192);
# buffer just a little for performance
# sync(1); <- Deprecated - use flush_lines() instead
flush_lines(1);
# memory is cheap, buffer messages unable to write (like to loghost)
log_fifo_size(16384);
# Hosts we don't want syslog from
#bad_hostname("^(ctld.|cmd|tmd|last)$");
# The time to wait before a dead connection is reestablished (seconds)
time_reopen(10);
#Use DNS so that our good names are used, not hostnames
use_dns(no);
dns_cache(yes);
#Use the whole DNS name
use_fqdn(no);
keep_hostname(no);
chain_hostnames(no);
#Read permission for everyone
perm(0644);
# The default action of syslog-ng 1.6.0 is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a while.
# Change it to every 12 hours so you get a nice daily update of
# # how many messages syslog-ng missed (0).
# stats(43200);
Thanks,
Ricardo.
> Date: Wed, 6 Jul 2011 09:04:51 +0200
> From: frobert at balabit.hu
> To: syslog-ng at lists.balabit.hu
> Subject: Re: [syslog-ng] AIX Syslog Messages
>
> Hi,
>
> did you try setting the keep_hostname(yes) global option?
>
> Robert
>
> On 07/05/2011 09:05 PM, Ricardo Oliveira wrote:
>
> > Hi,
> >
> > I'm having some problems properly storing messages received from AIX servers.
> > The format which they come in is like this:
> >
> > "Jul 5 19:30:59 Message forwarded from server2: su: from root to ..."
> >
> > According to a thread on this mailing list
> > (https://lists.balabit.hu/pipermail/syslog-ng/2006-October/009372.html), and if
> > I understood correctly, this should be OK, and I should get the expected
> > behaviour of replacing this with the form:
> >
> > "Jul 5 19:30:59 server2 su: from root to ..."
> >
> > However, what I get in the log is:
> >
> > "Jul 5 19:30:59 192.168.1.1 su: from root to ..."
> >
> > Where the 192.168.1.1 is the IP of the machine I got the message from and not
> > the name of the server (server2 in this case).
> >
> > The issue here is that these messages belong to several machines which are
> > sending their syslog messages to a NIM server which in turn forwards them to our
> > syslog server, so the IP we end up with is not the machine's IP, but rather the
> > NIM server IP, which is not what we need.
> > I tried parsing the message on arrival, but it doesn't work, I suppose it's
> > because syslog-ng processes it before the parsers kick in.
> >
> > Is there a way to do this?
> >
> > TIA,
> > Ricardo.
> >
> >
> >
> > ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110706/3ebe2ad5/attachment.htm
More information about the syslog-ng
mailing list