![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Hello everyone,
I am currently workin on setting up a debian box as a central syslog server.
One goal of this server is to filter syslog messages into different folders based on what server they were sent by.
This works as expected with all devices EXCEPT for my cisco wireless controllers.
When they log:
My syslog-ng, rather than filtering these into a folder given by the wireless controllers ip/hostname, creates folders named .063 and .064.
It seems like syslog-ng is reading the microsecond portion of the timestamp as the hostname! After sniffing some other syslog messages, I noticed that ONLY these cisco devices have timestamps that include microseconds.
Does anyone have any idea how to work around this and filter the cisco messages by hostname? Someway to truncate the timestamp or force it to look further to find the actual hostname?
Just FYI I will post the relevant portion of my syslog-ng.conf:
I am currently workin on setting up a debian box as a central syslog server.
One goal of this server is to filter syslog messages into different folders based on what server they were sent by.
This works as expected with all devices EXCEPT for my cisco wireless controllers.
When they log:
Code:
Jun 02 20:52:29.063 1x_auth_pae.c:2488 DOT1X-3-MAX_EAP_RETRIES: Max EAP identity request retries (21) exceeded for client 00:19:d2:78:ee:8f
Jun 02 20:52:09.663 1x_auth_pae.c:2488 DOT1X-3-MAX_EAP_RETRIES: Max EAP identity request retries (21) exceeded for client 00:13:e8:d9:9d:eb
Jun 02 20:50:49.064 1x_auth_pae.c:2488 DOT1X-3-MAX_EAP_RETRIES: Max EAP identity request retries (21) exceeded for client 00:19:d2:78:ee:8fMy syslog-ng, rather than filtering these into a folder given by the wireless controllers ip/hostname, creates folders named .063 and .064.
It seems like syslog-ng is reading the microsecond portion of the timestamp as the hostname! After sniffing some other syslog messages, I noticed that ONLY these cisco devices have timestamps that include microseconds.
Does anyone have any idea how to work around this and filter the cisco messages by hostname? Someway to truncate the timestamp or force it to look further to find the actual hostname?
Just FYI I will post the relevant portion of my syslog-ng.conf:
Code:
source remote_src { udp(); tcp(); };
destination remote_syslog {
file(
"/usr/local/syslog/$HOST/$YEAR/$MONTH/$YEAR-$MONTH-$DAY.log"
owner(root)
group(root)
perm(0644)
dir_perm(0755)
create_dirs(yes)
);
};
### added 4-16-08 all three wireless controllers destinations
### manually creating directory names
destination wir-c-syd-3-00 {
file(
"/usr/local/syslog/wir-c-syd-3-00/$YEAR/$MONTH/$YEAR-$MONTH-$DAY.log"
owner(root)
group(root)
perm(0644)
dir_perm(0755)
create_dirs(yes)
);
};
filter wir-c-syd-3-00 { netmask(172.25.198.10/32); };
log {
source(remote_src);
filter(wir-c-syd-3-00);
destination(wir-c-syd-3-00);
};