[syslog-ng] syslog-ng is skipping syslog events with no PRI

Asif Iqbal vadud3 at gmail.com
Wed Mar 21 14:29:22 UTC 2018


On Wed, Mar 21, 2018 at 9:58 AM, Fabien Wernli <wernli at in2p3.fr> wrote:

> On Wed, Mar 21, 2018 at 09:46:32AM -0400, Asif Iqbal wrote:
> > My client hostname is svl-search-01 and its IP resolves to svl-remote-01.
> > Its syslogs do not have any PRI or hostname in HOST field.
> >
> > I like to have svl-search-01 in the HOST field.
>
> In that case the only sensible options are:
>
> * upgrade & use add-contextual-dat
>
>   or
>
> * use /etc/hosts and keep-hostname(no)
>
>
I noticed if I have mutiple source files I only get logs from the last
source only. Does that make sense?

source s_sys {
        file ("/proc/kmsg" program_override("kernel: "));
    system();
    internal();
    udp(ip(0.0.0.0) port(514));
};

source s_udp { udp(ip(0.0.0.0) port(514)); };

source s_alarm { udp( ip(0.0.0.0)  port(514) use_dns(persist_only) ); };

log { source(s_sys); filter(f_ciena); destination(d_ciena); };
log { source(s_alarm); filter(f_alarm); destination(d_alarm); };

As soon as I commented all the other sources and only kept the s_sys, I
started getting logs again from
those routers.





> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>


-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180321/de1eaf69/attachment.html>


More information about the syslog-ng mailing list