Mailing List Archive

Recording IP address of sender in logs
I have been using syslogd 1.4.1 for quite some time to gather syslogs
from multiple hosts which I then have a script which separates out the
logs based on the source host. I just rebuilt my syslog server and took
the opportunity to use rsyslogd 2.0.2 instead of the syslogd, but I
noticed that my syslogs no longer record the address of the source host
which will break my scripts. Is there any way to change this behavior?



Examples -



Syslogd:

Mar 4 08:05:47 10.10.1.1 Mar 04 2008 08:05:47:
%ASA-4-106023: Deny tcp src inside:x.x.x.x/3713 dst outside:x.x.x.x/1021
by access-group "inside_access_out" [0x0, 0x0]

^^^^^^^^^



Rsyslogd:

Mar 4 08:41:17 Mar 04 2008 08:41:25: %ASA-4-106023: Deny
tcp src inside:x.x.x.x/2125 dst outside:x.x.x.x/9018 by access-group
"inside_access_out" [0x0, 0x0]





Regards,

Mark
Recording IP address of sender in logs [ In reply to ]
Mark,

it looks like message format received is somewhat invalid. Rsyslog tries
to parse according to rfc 3164 but also applies legacy legacy parsing if
it finds a way to do so. If you could provide me a wireshark capture of
the message, I could see if I can modify the parser.

HOWEVER, that shouldn't limit to do you what you want. Nothing is fixed
in rsyslog and you can modify the format via a template. It is just the
default template that gives you the result below. Please see the rsyslog
doc on how to define other template. If you have a hard time, let me
know and I'll figure it out for you, but I am currently very busy with
new work, so I can't promise on the timeline.

HTH
Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Capelle, Mark (PCMC-GB)
> Sent: Tuesday, March 04, 2008 3:43 PM
> To: rsyslog at lists.adiscon.com
> Subject: [rsyslog] Recording IP address of sender in logs
>
> I have been using syslogd 1.4.1 for quite some time to gather syslogs
> from multiple hosts which I then have a script which separates out the
> logs based on the source host. I just rebuilt my syslog server and
> took
> the opportunity to use rsyslogd 2.0.2 instead of the syslogd, but I
> noticed that my syslogs no longer record the address of the source
host
> which will break my scripts. Is there any way to change this
behavior?
>
>
>
> Examples -
>
>
>
> Syslogd:
>
> Mar 4 08:05:47 10.10.1.1 Mar 04 2008 08:05:47:
> %ASA-4-106023: Deny tcp src inside:x.x.x.x/3713 dst
> outside:x.x.x.x/1021
> by access-group "inside_access_out" [0x0, 0x0]
>
> ^^^^^^^^^
>
>
>
> Rsyslogd:
>
> Mar 4 08:41:17 Mar 04 2008 08:41:25: %ASA-4-106023: Deny
> tcp src inside:x.x.x.x/2125 dst outside:x.x.x.x/9018 by access-group
> "inside_access_out" [0x0, 0x0]
>
>
>
>
>
> Regards,
>
> Mark
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog