[syslog-ng] syslog-ng is skipping syslog events with no PRI

Asif Iqbal vadud3 at gmail.com
Wed Mar 21 14:49:34 UTC 2018


On Wed, Mar 21, 2018 at 10:29 AM, Asif Iqbal <vadud3 at gmail.com> wrote:

>
>
> On Wed, Mar 21, 2018 at 9:58 AM, Fabien Wernli <wernli at in2p3.fr> wrote:
>
>> On Wed, Mar 21, 2018 at 09:46:32AM -0400, Asif Iqbal wrote:
>> > My client hostname is svl-search-01 and its IP resolves to
>> svl-remote-01.
>> > Its syslogs do not have any PRI or hostname in HOST field.
>> >
>> > I like to have svl-search-01 in the HOST field.
>>
>> In that case the only sensible options are:
>>
>> * upgrade & use add-contextual-dat
>>
>>   or
>>
>> * use /etc/hosts and keep-hostname(no)
>>
>>
> I noticed if I have mutiple source files I only get logs from the last
> source only. Does that make sense?
>
> source s_sys {
>         file ("/proc/kmsg" program_override("kernel: "));
>     system();
>     internal();
>     udp(ip(0.0.0.0) port(514));
> };
>
> source s_udp { udp(ip(0.0.0.0) port(514)); };
>
> source s_alarm { udp( ip(0.0.0.0)  port(514) use_dns(persist_only) ); };
>
> log { source(s_sys); filter(f_ciena); destination(d_ciena); };
> log { source(s_alarm); filter(f_alarm); destination(d_alarm); };
>
> As soon as I commented all the other sources and only kept the s_sys, I
> started getting logs again from
> those routers.
>
>
OK I verified. I cannot have two source like this. logs with source s_udp
stop receiving data.

source s_udp { udp(ip(0.0.0.0) port(514)); };
source s_alarm { udp( ip(0.0.0.0)  port(514) use_dns(persist_only) ); };

I need most sources use the default use_dns(yes) and only a handful of
source with use_dns(persist_only).

How do I configure that?




>
>
>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
>


-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180321/6bde4397/attachment.html>


More information about the syslog-ng mailing list