[syslog-ng] syslog-ng is skipping syslog events with no PRI

Scheidler, Balázs balazs.scheidler at balabit.com
Thu Mar 22 04:38:26 UTC 2018 

On Wed, Mar 21, 2018 at 3:49 PM, Asif Iqbal <vadud3 at gmail.com> wrote:

>
>
> On Wed, Mar 21, 2018 at 10:29 AM, Asif Iqbal <vadud3 at gmail.com> wrote:
>
>>
>>
>> On Wed, Mar 21, 2018 at 9:58 AM, Fabien Wernli <wernli at in2p3.fr> wrote:
>>
>>> On Wed, Mar 21, 2018 at 09:46:32AM -0400, Asif Iqbal wrote:
>>> > My client hostname is svl-search-01 and its IP resolves to
>>> svl-remote-01.
>>> > Its syslogs do not have any PRI or hostname in HOST field.
>>> >
>>> > I like to have svl-search-01 in the HOST field.
>>>
>>> In that case the only sensible options are:
>>>
>>> * upgrade & use add-contextual-dat
>>>
>>>   or
>>>
>>> * use /etc/hosts and keep-hostname(no)
>>>
>>>
>> I noticed if I have mutiple source files I only get logs from the last
>> source only. Does that make sense?
>>
>> source s_sys {
>>         file ("/proc/kmsg" program_override("kernel: "));
>>     system();
>>     internal();
>>     udp(ip(0.0.0.0) port(514));
>> };
>>
>> source s_udp { udp(ip(0.0.0.0) port(514)); };
>>
>> source s_alarm { udp( ip(0.0.0.0)  port(514) use_dns(persist_only) ); };
>>
>> log { source(s_sys); filter(f_ciena); destination(d_ciena); };
>> log { source(s_alarm); filter(f_alarm); destination(d_alarm); };
>>
>> As soon as I commented all the other sources and only kept the s_sys, I
>> started getting logs again from
>> those routers.
>>
>>
> OK I verified. I cannot have two source like this. logs with source s_udp
> stop receiving data.
>
> source s_udp { udp(ip(0.0.0.0) port(514)); };
> source s_alarm { udp( ip(0.0.0.0)  port(514) use_dns(persist_only) ); };
>


syslog-ng should report this issue at startup and not start. Did it do that
properly?


>
> I need most sources use the default use_dns(yes) and only a handful of
> source with use_dns(persist_only).
>


you'd have to use separate ports or IPs for this to work.


>
> How do I configure that?
>
>
>
>
>>
>>
>>
>>> ____________________________________________________________
>>> __________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support
>>> /documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>
>>
>> --
>> Asif Iqbal
>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>> A: Because it messes up the order in which people normally read text.
>> Q: Why is top-posting such a bad thing?
>>
>>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180322/0e394415/attachment.html>

More information about the syslog-ng mailing list