1

We have a problem where we have a device type logging with hostnames like slot1/devicename. Unfortunately, when the logs are written to disk, only the slot1 is written; since we have a number of devices, this prevents us from knowing which device sent the logs. We did a packet capture to confirm that on the wire, the hostname is slot1/devicename

options {
  long_hostnames(off);
  sync(0);
  perm(0640);
  stats(3600);
  chain_hostnames(on);
  keep_hostname(on);
  create_dirs(on);
  bad-hostname("^[0-9][0-9]*$");
}

source s_in {
  udp();
  tcp(max-connections(255)); };
}

destination s_files {
  file (
    "/opt/syslog-ng/$HOST/$FACILITY-$HOUR.log"
    template("$DATE $HOST $MSG\n")
    template_escape(no)
  );
};

log { source(s_in); destination(s_files); }

This is syslog-ng-2.0.9-27.34.39.2 on SUSE Linux Enterprise Server 11 SP4

W3t Tr3y
  • 141
  • 7
  • 2
    Can you fix the broken devices? – Michael Hampton Apr 18 '19 at 20:29
  • Probably not, because technically they aren't broken. When you do relaying what happens is the relaying hosts can insert their name into the host so you can track the path that they traverse. Within the appliance they are running "virtual appliances" that are forwarding to the appliance which is then forwarding to us. TECHNICALLY slot1 is the correct hostname. What we want is the first relay in the path To go back to why I saw no, I could ask the vendor to change their appliance, but since its technically not wrong, I'm not sure they would. – W3t Tr3y May 08 '19 at 20:44

1 Answers1

2

My guess is that syslog-ng doesn't expect the hostname to contain a slash, so it assumes that the first part of that string is the hostname. It either drops the second part, or assumes it belongs to the next field of the message. Check the value of the $PROGRAM macro, it might contain the devicename you are looking for. (If not, check also the $HOST_FROM, $FULLHOST_FROM and the $FULLHOST macros.)

If yes, you can modify the destination filename to /$HOST-$PROGRAM/, or something similar (and probably also use a filter and a separate log path for this device so the new template does not mess up the directory names of the devices that are working fine).

If that does not solve the problem, newer versions of syslog-ng can parse and rewrite log messages in a number of ways that can solve this problem, but for that you'll need to install a more recent version (2.0.9 is ancient).

HTH, Robert

Robert Fekete
  • 552
  • 1
  • 3
  • 6