Syslog Message Header Format
Finally I fixed my problem with huawei syslog messages! Actually I found a work around to it on my Syslog-NG server. There is a bad_hostname("regexp") directive in syslog-ng configuration file which can be used to ignore wrong hostnames extracted from syslog header messages if specified, and the cool thing is that you can use regular expresions to specify a range of hostnames matching your criteria. Once a bad_hostname matched syslog-ng will look into the IP header instead for the source address and places this address as the hostname.
But to realize what exactly the problem was I decided to take a close look into RFC 3164. Section 4.1.2 says:
- The HEADER contains two fields called the TIMESTAMP and the HOSTNAME.
- The TIMESTAMP field is the local time and is in the format of "Mmm dd hh:mm:ss" (without the quote marks)
- A single space character MUST follow the TIMESTAMP field
- The HOSTNAME field will contain only the hostname, the IPv4 address, or the IPv6 address of the originator of the message. The preferred value is the hostname
- Example: <34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8
>Oct 28 16:15:03 2006 SHZ-C2H-Router IFNET/5/UPDOWN:S[|syslog]
OK! instead of the HOSTNAME stgraight after the TIMESTAMP I see "2006" which is the YYYY part of the current date on huawei devices!
Anyway, as soon as the bad_hostname directive is there no need to bother for this kind of problem!
Labels: Linux, Monitoring, Networking, Protocols
posted by Saeed Pazoki @ 11:56 AM
2 comments
2 Comments:
The thing you should do with huawei is this:
info-center timestamp loghost no-year-date
Hi:
I am encountering the strange issue with Perl script. The perl script writes the message onto syslog.log file. When I try to print the message with date/time stamp, its printing with space character in between Hour and Minute. I tried various methods of printing the time stamp, all providing same results.
program:
# Send Syslog
#my ($sec,$min,$hour, $day, $month, $year) = localtime();
($wkday,$month,$day,$time,$year) = split(/\s+/, localtime);
$cTime = localtime();
$datestamp = sprintf("%s %0.2d", $month, $day);
($sec,$min,$hr) = localtime();
my $timestamp = sprintf("%0.2d:%0.2d:%0.2d:", $hr,$min,$sec);
# @current_time = localtime;
#$timestamp = join(":", @current_time[2,1,0]);
#my $timestamp = sprintf("%0.2d:%0.2d:%0.2d:", $current_time[2],$current_time[1],$current_time[0]);
#$timestamp = $time('Mon dd hh:mm:ss')
#syslog("info|local7", "$month $day $hour:$min:$sec: %UTIL_THRESH-4-NET: $syslogmessage");
syslog("info|local7", "$datestamp $timestamp %UTIL_THRESH-4-NET: $syslogmessage");
#syslog("info|local7", "$cTime %UTIL_THRESH-4-NET: $syslogmessage");
All options printing like this:
Nov 19 16:36:04 vssilab05 Nov 19 16: 36:04: %UTIL_THRESH-4-NET: Johns Creek - Clearwater Core DS3 below threshold (94.00%) batl01f_3.1 94 (95%)
If you have any bug related to this, let me know.
Regards
Ramesh
Post a Comment
<< Home