Original question: I am running Solaris 9 with the latest_recommended. I have set up my servers to send their syslog messages to a central server, and then set up that server as a relay server to forward all syslog messages to a third server. This works, but the messages sent to the third server are stripped of the originating servers hostname and state that they are only from the relay server. I have researched this but have not come up with any solutions, any help would be appreciated. Many thanks to those who have responded, I was provided enough information to move forward researching certain directions to solve my problem. I gathered that this can not be solved with syslog alone, I would need to explore syslog-ng, port redirect or a home grown modification to syslog or forwarding script. I am researching port redirection and syslog-ng as they have the best chance if being accepted as this is a highly hardened environment. Feedback: ------------------------------------------- This is in the syslog protocol. Your only real alternative is syslog-ng. Rob++ -- Internet: windsor@warthog.com Life: Rob@Carrollton.Texas.USA.Earth -------------------------- Eric, The Solaris syslog daemon does not follow the formal spec for the syslog protocol (RFC3164) in constructing messages to other hosts, in that they are missing the hostname field that a proper implementation would use to preserve the original source. Instead, Solaris marks messages with hostnames based on what IP address they are coming from, which can lead to all sorts of interesting effects if you are not prepared for it. The only solution to this that I've heard of is to replace the Solaris syslogd with the open source syslog-ng, which uses the hostname field and can be configured to 'chain' hostnames in that field so that relayed messages carry an audit trail of how they were relayed. I can't really recommend for or against using syslog-ng, as I've not tried it myself. I can recommend that if you want to try that, you should be very careful in its build configuration and its running configuration to make sure that you catch all of the Solaris interfaces into syslog (read the syslog-ng docs for details.) The home page for syslog-ng is at http://www.balabit.com/products/syslog_ng/ -- Bill Cole ------------------------------------------- I assume this is because of some sort of network/firewall config. How about port redirecting instead of using an actual syslog server in the middle, end servers are told to use the server in the middle, but a port redirect on there actually lands them at the end syslog server. the hatter ----------------------------------------- I thought we were the only people that suffered from this! It's an inherent problem with the syslog implementation. SOme years ago we extracted from SUn the source for syslogd and have made a number of 'local' modifications to resolve what we see as problems. One of which is the loss of the originating hostname. To overcome this shortfall we implemted a new config target ... !hostname ... this is very similar to the ....@hostname.... directive but it forwards syslog messages with uucp style bang paths so that the receiver gets all the routing. Of course it can ONLY be used to forward to one of our modified syslogds - since they understand the syslog UDP messages. We had to sign an NDA to get the syslogd source but with OpenSolaris out there now we are planning to see if they will adopt at least some of our work - and this will be one of the bits we hope to contribute. We haven't back-ported the work to solaris 9 systlogd - but thiat might be easy. If so, would you be interested in a binary? +------------------------------------------------------------------+ | Martin Wheatley | Voice : +44-(0)1235 464784 | | CODAS | Mobile: +44-(0)468 894818 | | UKAEA, Culham Division | FAX : +44-(0)1235 464404 | | Culham Science Centre | | | Abingdon, Oxfordshire | | | OX14 3DB | E-mail: Martin.Wheatley@JET.UK | | United Kingdom | or: Martin.Wheatley@UKAEA.Org.UK | +------------------------------------------------------------------+ ---------------------------------------------------- I don't believe there is an easy solution. In syslog messages, the source host information is simply nowhere in the application layer payload. The receiving syslog server uses the source IP address to figure out who sent the message. You have two possible solutions, you can get the messages to the final server with the source IP intact, or add the sender to the message payload. The first is easiest done by simply routing the messages directly to the final server. Other options require nasty spoofing by the intermediate server which requires some work. The second can be done in a variety of ways too. One easy way might be to pipe the messages to a program that forwards them (could even trivially be done in Perl). -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387 --------------------------------------------------- Hi Eric, As far as I am aware the default syslog packaged with Solaris and most OS all behave this way. You will need to look in to a package such as syslog-ng, which will preserve the chain of hostnames as they are relayed. Hope this helps! Leif Hardison >Data Center Engineer Comverse +1 781 223 6754 (mobile) ------------------------------------------------------------ _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Thu Sep 29 08:59:53 2005
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:51 EST