[syslog-ng] hostname not appearing correctly when receiving logs from switches
pasztor at linux.gyakg.u-szeged.hu
Sun May 6 12:59:24 UTC 2018
"Joshua" <aces621 at yahoo.com> írta 2018-05-03 16:40-kor:
> Unfortunately, I do not have the luxury to perform any testing since we do not have any test switch setup and due to resources. I will be removing v3.14 and installing v3.5..
> Just to be clear, I did receive the syslog messages into the directory where I want the logs to be at. The only issue is the $HOST not displaying correctly from my Switch's syslog. From what I can see, it looks like the $HOST displayed was from the first word of the received syslog message.
> Joshua Lai
I don't understand why didn't they suggested to use the syslog-debun script
from the contrib dir.
#1. reproduction doesn't need a test switch. it needs interaction on the syslog
#2. if you can run another "instance" (eg in a docker, lxc, pod, domU,
whatever you have) and send a copy of every log messages from at least one
switch where the effect is given that could help to resolve the problem
As far as I remember you can define more then one log servers in a Cisco
device's config and they will send copies to every defined syslog server.
#3. the problem on this field is usually that rfc3164 is not a protocol,
rather a description based on various garbage how network vendors
implemented their logging. On the other hands this rfc were made almost two
decades ago. One of the most incosequent vendor on the market
I saw is Cisco. It's not easy to implement a parser which fits all of their
"flavour". I think Balabit folks does a great job on that field.
It worths that extra few minutes to help them out with some extra pcap.
Don't misunderstand me: I like both Cisco products and Balabit products. I
workd a lot with both of them. Just I'm realistic.
With the help of that script you could minimize the downtime of your syslog
server, if they want to see the "debug log".
Anyway: If you just collect some pcap content to have examples for this
case, and the pcap file would contain the whole log packets unharmed,
that could be a big help too:
Based on that they can reproduce the problem by resending the packets to
syslog-ng, and check their debug mode instance.
Btw.: the debun script is "version independent". So I suggest to use the
latest version from github:
To look into the script:
To download via curl:
Some docs, and example for usage:
Btw2.: It could be also a useful information if you could share which Cisco
device produces this effects, and what is the exact logging related
configuration of that device. eg. Catalyst 6500 with x. type firmware,
version v, and the output of ```sh ru | inc log ''' is ...
More information about the syslog-ng