[syslog-ng] AIX Syslog Messages

Balazs Scheidler bazsi at balabit.hu
Wed Jul 20 12:51:53 CEST 2011 

Hi,

This is how syslog-ng tries to find a proper hostname:

1) parse the one in the message if present. The AIX "message forwarded
from" format contains a source hostname, and this is added into the
$HOST macro.

2) if keep-hostname() is set to "no" or the $HOST is empty (e.g. parsing
failed because the incoming message had no $HOST part in the first
place), then syslog-ng tries to resolve it based on the sender IP
address.

3) when resolving an address, syslog-ng optionally uses DNS, a
local /etc/hosts file. If DNS is not in use, or the IP cannot be
resolved, it uses the IP address.

The sample options you've pasted contains keep_hostname(no), which
explains why you see an IP address there. You state that even with
keep_hostname(yes), the same behaviour remains.

This might be a bug then, however in order to diagnose the problem,
please send the packet contents as received by syslog-ng (too see what
it really receives), and the exact settings at the reception.

Thanks.

On Wed, 2011-07-06 at 10:46 +0000, Ricardo Oliveira wrote:
> Hi,
>  
> Thanks for your reply.
> I did, but it still keeps the IP address, so I removed it.
>  
> These are my options:
>  
>         long_hostnames(off);
>         # doesn't actually help on Solaris, log(3) truncates at 1024
> chars
>         log_msg_size(8192);
>         # buffer just a little for performance
>         # sync(1); <- Deprecated - use flush_lines() instead
>         flush_lines(1);
>         # memory is cheap, buffer messages unable to write (like to
> loghost)
>         log_fifo_size(16384);
>         # Hosts we don't want syslog from
>         #bad_hostname("^(ctld.|cmd|tmd|last)$");
>         # The time to wait before a dead connection is reestablished
> (seconds)
>         time_reopen(10);
>         #Use DNS so that our good names are used, not hostnames
>         use_dns(no);
>         dns_cache(yes);
>         #Use the whole DNS name
>         use_fqdn(no);
>         keep_hostname(no);
>         chain_hostnames(no);
>         #Read permission for everyone
>         perm(0644);
>         # The default action of syslog-ng 1.6.0 is to log a STATS line
>         # to the file every 10 minutes. That's pretty ugly after a
> while.
>         # Change it to every 12 hours so you get a nice daily update
> of
>         # # how many messages syslog-ng missed (0).
>         # stats(43200);
>  
> Thanks,
> Ricardo.
>  
> > Date: Wed, 6 Jul 2011 09:04:51 +0200
> > From: frobert at balabit.hu
> > To: syslog-ng at lists.balabit.hu
> > Subject: Re: [syslog-ng] AIX Syslog Messages
> > 
> > Hi,
> > 
> > did you try setting the keep_hostname(yes) global option?
> > 
> > Robert
> > 
> > On 07/05/2011 09:05 PM, Ricardo Oliveira wrote:
> > 
> > > Hi,
> > >
> > > I'm having some problems properly storing messages received from
> AIX servers.
> > > The format which they come in is like this:
> > >
> > > "Jul 5 19:30:59 Message forwarded from server2: su: from root
> to ..."
> > >
> > > According to a thread on this mailing list
> > >
> (https://lists.balabit.hu/pipermail/syslog-ng/2006-October/009372.html), and if
> > > I understood correctly, this should be OK, and I should get the
> expected
> > > behaviour of replacing this with the form:
> > >
> > > "Jul 5 19:30:59 server2 su: from root to ..."
> > >
> > > However, what I get in the log is:
> > >
> > > "Jul 5 19:30:59 192.168.1.1 su: from root to ..."
> > >
> > > Where the 192.168.1.1 is the IP of the machine I got the message
> from and not
> > > the name of the server (server2 in this case).
> > >
> > > The issue here is that these messages belong to several machines
> which are
> > > sending their syslog messages to a NIM server which in turn
> forwards them to our
> > > syslog server, so the IP we end up with is not the machine's IP,
> but rather the
> > > NIM server IP, which is not what we need.
> > > I tried parsing the message on arrival, but it doesn't work, I
> suppose it's
> > > because syslog-ng processes it before the parsers kick in.
> > >
> > > Is there a way to do this?
> > >
> > > TIA,
> > > Ricardo.
> > >
> > >
> > >
> > >
> ______________________________________________________________________________
> > > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> > >
> > 
> > 
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> > 
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> 

-- 
Bazsi

More information about the syslog-ng mailing list