Now when looking at this closer, let me ask this.
How can always log for every remote host FROMHOST or FROMHOST-IP? as
second field in the log entry (right aftger time/date)?
...I'm not willing to trust remote hosts that they provide correct
host/shource IP.
Thank you,
Brano
On 04/08/2011 12:31 PM, Brano wrote:
Here is one debug line.
Is there a way to log FROMHOST? that's what I'm missing.
Debug line with all properties:
FROMHOST: 'usg200', fromhost-ip: '192.168.10.1', HOSTNAME:
'domain.com', PRI: 181,
syslogtag 'src="74.208.229.54:', programname: 'src="74.208.229.54',
APP-NAME: 'src="74.208.229.54', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Apr 8 12:22:32', STRUCTURED-DATA: '-',
msg: '0" dst="76.10.x.x:0" msg="priority:12, from WAN to ZyWALL, ICMP
Type:8, service PING, ICMP Type:8, ACCEPT" note="ACCESS FORWARD"
user="unknown" devID="0019cb7273a4" cat="Firewall" class="Access
Control" ob="0" ob_mac="000000000000" dir="WAN:ZyWALL" protoID=1
proto="PING"'
escaped msg: '0" dst="76.10.x.x:0" msg="priority:12, from WAN to
ZyWALL, ICMP Type:8, service PING, ICMP Type:8, ACCEPT" note="ACCESS
FORWARD" user="unknown" devID="0019cb7273a4" cat="Firewall"
class="Access Control" ob="0" ob_mac="000000000000" dir="WAN:ZyWALL"
protoID=1 proto="PING"'
rawmsg: '<181>Apr 8 12:22:32 domain.com src="74.208.229.54:0"
dst="76.10.x.x:0" msg="priority:12, from WAN to ZyWALL, ICMP Type:8,
service PING, ICMP Type:8, ACCEPT" note="ACCESS FORWARD"
user="unknown" devID="0019cb7273a4" cat="Firewall" class="Access
Control" ob="0" ob_mac="000000000000" dir="WAN:ZyWALL" protoID=1
proto="PING"'
On 04/08/2011 01:34 AM, Rainer Gerhards wrote:
I think the incoming message is illformed. For background, read this:
http://www.rsyslog.com/doc/syslog_parsing.html
You can create a file via
*.* /path/to/file;RSYSLOG_DebugFormat
And post the rawmsg output. Then we can probably suggest a solution.
But, as
said in the paper, the proper solutions are to configure the device
to emit
correct messages or create a custom parser if that's not possible.
Rainer
-----Original Message-----
From: [email protected] [mailto:rsyslog-
[email protected]] On Behalf Of Brano
Sent: Friday, April 08, 2011 4:39 AM
To: [email protected]
Subject: [rsyslog] Hostname missing from logs
I've recently switched from syslogd to rsyslogd on CentOS 5.5 due to
need of granular network logging.
However, I've noticed one issue with my remote log.
I'm logging from remote host called usg200 (defined in local hostfile).
It is ZyXel USG200 router.
With syslogd the messages in log were like this one
Apr 3 21:27:43 *usg200* domain.com src="76.10.x.x:500"
dst="76.10.x.x:500" msg="The cookie pair is : 0x6f28d9b0e98a895a /
0x3bfec
fd059520966" note="IKE_LOG" user="unknown" devID="0019cb7273a4"
cat="IKE"
With rsyslog the messages are like this
Apr 6 14:21:04 domain.com src="76.10.x.x: 500" dst="76.10.x.x:500"
msg="Recv:[HASH][NOTFY:R_U_THERE]" note="IKE_LOG" user="unknown"
devID="0019cb7273a4" cat="IKE"
Notice the usg200 hostname in rsyslog just after date is missing. I
need
to get it back. Any advice highly appreciated.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
