[syslog-ng] hostname not appearing correctly when receiving logs from switches

Scheidler, Balázs balazs.scheidler at balabit.com
Tue Jun 19 11:58:53 UTC 2018


Hi,

I've finally got around and checked this out. Here's what I've found:

* the message does not contain a hostname
* if I am receiving this using a normal udp() source, I can reproduce that
HOST becomes ':'
* if I am using flags(no-parse) on input and the new cisco-parser() to
actually decompose the message, it correctly parses it and HOST becomes the
DNS resolved variant of the sender IP address.

I'll check what 3.5 did in this scenario.


-- 
Bazsi

On Mon, May 21, 2018 at 11:27 PM, Clayton Dukes <cdukes at logzilla.net> wrote:

> Was anyone able to figure out why this is happening?
>
>
>
> *From: *"Scheidler, Balázs" <balazs.scheidler at balabit.com>
> *Date: *Tuesday, May 15, 2018 at 10:58 AM
> *To: *"cdukes at cdukes.com" <cdukes at cdukes.com>
> *Cc: *Clayton Dukes <cdukes at logzilla.net>
> *Subject: *Re: Fwd: [syslog-ng] hostname not appearing correctly when
> receiving logs from switches
>
>
>
> Thanks
>
>
>
> On May 15, 2018 16:52, "Clayton Dukes" <cdukes at gmail.com> wrote:
>
> Making sure you got this (in case the other went to spam)
>
>
>
> ______________________________________________________________
>
> Clayton Dukes
> ______________________________________________________________
>
>
>
> ---------- Forwarded message ----------
> From: *Clayton Dukes* <cdukes at logzilla.net>
> Date: Mon, May 7, 2018 at 4:46 PM
> Subject: Re: [syslog-ng] hostname not appearing correctly when receiving
> logs from switches
> To: "Scheidler, Balázs" <balazs.scheidler at balabit.com>
> Cc: Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
>
> Hi Balazs,
>
> Sorry for the delay, I don’t get a lot of free time these days :)
>
> I have attached a pcap as well as a raw log. The log is prior to any
> manipulation of LogZilla rules, etc.
>
>
>
> This is easily reproduceable.
>
> Also, if I add show-timezone to the device config, the host field shows
> up.
>
> The problem, of course, is that we can’t tell all of our customers to
> re-configure all of their cisco devices.
>
> We have documented the work-around here (search the page for “hostname
> missing”):
>
> http://demo.logzilla.net/help/receiving_data/cisco_ios_configuration
>
>
>
> This problem never existed before, but I am not certain which syslog-ng
> version it started occurring in.
>
>
>
>
>
>
>
>
>
> *From: *"Scheidler, Balázs" <balazs.scheidler at balabit.com>
> *Date: *Tuesday, May 1, 2018 at 8:45 PM
> *To: *Clayton Dukes <cdukes at logzilla.net>
> *Cc: *Joshua <aces621 at yahoo.com>, Syslog-ng users' and developers'
> mailing list <syslog-ng at lists.balabit.hu>
> *Subject: *Re: [syslog-ng] hostname not appearing correctly when
> receiving logs from switches
>
>
>
> Interesting that I saw this message the first time in your response, and
> not the original one.
>
>
>
> Anyhow, to understand the problem we would need an exact byte-by-byte
> representation of what syslog-ng is receiving from the switch together with
> the configuration that is used to process it. A tcpdump or an "Incoming
> message" from syslog debug outout should work.
>
>
>
> We haven't intentionally changed the syslog parser as far as I remember.
>
>
>
> On May 1, 2018 22:50, "Clayton Dukes" <cdukes at logzilla.net> wrote:
>
> Interesting! We’ve been getting a lot of support tickets for this very
> problem.
>
> I can easily recreate the issue.
>
>
>
> Balabit Team: is this a new bug?
>
>
>
>
>
>
>
> *[image: cid:image001.png at 01D306E3.0FEBC990]*
>
>
>
> *Clayton Dukes*
>
> Founder & CEO
>
> LogZilla Corporation
> 2900 N. Quinlan Park Rd
> <https://maps.google.com/?q=2900+N.+Quinlan+Park+Rd&entry=gmail&source=g>,
> B240-341
> Austin, TX, 78732
>
> Tel: 936-4NetOps (463-8677)
>
> Web: www.logzilla.net
>
> [image: cid:image002.png at 01D306E3.0FEBC990] <https://twitter.com/logzilla>[image:
> cid:image003.png at 01D306E3.0FEBC990] <https://youtu.be/drg5wv_mgfA>[image:
> cid:image004.png at 01D306E3.0FEBC990]
> <https://www.linkedin.com/in/lzcdukes/>
>
>
>
> *For NetOps, By NetOps!*
>
>
>
>
>
>
>
>
>
> *From: *syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Joshua <aces621 at yahoo.com>
> *Reply-To: *Joshua <aces621 at yahoo.com>, Syslog-ng users' and developers'
> mailing list <syslog-ng at lists.balabit.hu>
> *Date: *Monday, April 30, 2018 at 7:09 PM
> *To: *"syslog-ng at lists.balabit.hu" <syslog-ng at lists.balabit.hu>
> *Subject: *[Suspected Spam] [syslog-ng] hostname not appearing correctly
> when receiving logs from switches
>
>
>
> Hi All,
>
>
>
> I am pretty new to syslog-ng but do have some basic knowledge. I have
> deployed syslog-ng v3.14 on a newly deployed Linux server because syslog-ng
> v3.5 is working very well on another syslog server.
>
>
>
> On this new deployment, the syslogs received from most of the servers are
> able to show IP/host, however, the syslogs from our switches contains
> IP/host showing as ":" (colons). I copied the current working custom build
> .conf from another syslog server into our new server. Can someone help me
> figure out what I am missing? It is working for some components but not for
> switches. I tested the same switch by sending syslog to another syslog
> server and the hostname is appearing but just not appearing on the new
> syslog server. The only difference between the two server is that one uses
> v3.5 (the working one) and the other uses syslog-ng v3.14.
>
>
>
> I have set: "keep_hostname (yes)" but it still doesn't work.
>
>
>
> Can someone please help? Am I missing something here?
>
>
>
> Thanks
>
> *Joshua Lai*
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180619/eb705f21/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 2264 bytes
Desc: not available
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180619/eb705f21/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 6537 bytes
Desc: not available
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180619/eb705f21/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1912 bytes
Desc: not available
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180619/eb705f21/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1816 bytes
Desc: not available
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180619/eb705f21/attachment-0007.png>


More information about the syslog-ng mailing list