Finally I fixed
my problem with huawei syslog messages! Actually I found a work around to it on my Syslog-NG server. There is a bad_hostname("regexp") directive in syslog-ng configuration file which can be used to ignore wrong hostnames extracted from syslog header messages if specified, and the cool thing is that you can use regular expresions to specify a range of hostnames matching your criteria. Once a bad_hostname matched syslog-ng will look into the IP header instead for the source address and places this address as the hostname.
But to realize what exactly the problem was I decided to take a close look into RFC 3164. Section 4.1.2 says:
- The HEADER contains two fields called the TIMESTAMP and the HOSTNAME.
- The TIMESTAMP field is the local time and is in the format of "Mmm dd hh:mm:ss" (without the quote marks)
- A single space character MUST follow the TIMESTAMP field
- The HOSTNAME field will contain only the hostname, the IPv4 address, or the IPv6 address of the originator of the message. The preferred value is the hostname
- Example: <34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8
It has firmly defined how a syslog message format should be and to see how Huawei is complying with this format I have captured traffic from huawei routers and switches with tcpdump:
>Oct 28 16:15:03
2006 SHZ-C2H-Router IFNET/5/UPDOWN:S[|syslog]
OK! instead of the HOSTNAME stgraight after the TIMESTAMP I see "2006" which is the YYYY part of the current date on huawei devices!
Anyway, as soon as the bad_hostname directive is there no need to bother for this kind of problem!
Labels: Linux, Monitoring, Networking, Protocols
