3com 4200G and HP A5120 syslog wrong hostname

You need additional help with phplogcon, then write into this forum.

Google Ads


3com 4200G and HP A5120 syslog wrong hostname

Postby lee62817 » Fri Jan 23, 2015 1:53 am

I have a 3com 4200G and a HP A5120 switch setup to log to a rsyslog server (rsyslog on centos7).

syslogtag G2-3FA-Mid-SW is 3com 4200g
syslogtag GM_1_248 is HP A5120

Image

but host both 2015

how can i configute it ! e.g. switch1 or switch2
lee62817
Avarage
 
Posts: 16
Joined: Thu Jan 15, 2015 3:23 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: 3com 4200G and HP A5120 syslog wrong hostname

Postby rgerhards » Sat Jan 24, 2015 1:10 pm

I guess that the root cause is invalid message format and the misformatting happens at the rsyslog side. So let's first see what rsyslog gets and detects.

to do so, please add

*.* /var/log/msgdebug.log;RSYSLOG_DebugFormat

to your rsyslog.conf. This generates multi-line entries for each message. Pick one entry of those in question and paste it into the forum thread.
rgerhards
Site Admin
 
Posts: 3806
Joined: Thu Feb 13, 2003 11:57 am

Re: 3com 4200G and HP A5120 syslog wrong hostname

Postby levipederson » Tue Apr 07, 2015 3:37 pm

All,

I'm having the Same issue as well. Though mine is limited to distinct IPs Here is an obfuscated output of the Debug.
Code: Select all
Debug line with all properties:
FROMHOST: '10.1.214.9', fromhost-ip: '10.1.214.9', HOSTNAME: '10.1.214.9', PRI: 189,
syslogtag '36265:', programname: '36265', APP-NAME: '36265', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Apr  7 09:33:51', STRUCTURED-DATA: '-',
msg: ' RP/0/RSP0/CPU0:Apr  7 14:33:51.207 : config[65844]: %MGBL-SYS-5-CONFIG_I : Configured from console by ****on vty0 (10.13.255.18) '
escaped msg: ' RP/0/RSP0/CPU0:Apr  7 14:33:51.207 : config[65844]: %MGBL-SYS-5-CONFIG_I : Configured from console by **** on vty0 (10.13.255.18) '
inputname: imudp rawmsg: '<189>36265: RP/0/RSP0/CPU0:Apr  7 14:33:51.207 : config[65844]: %MGBL-SYS-5-CONFIG_I : Configured from console by ***** on vty0 (10.13.255.18) '
$!:
$.:
$/:


Where can I force the Rsyslog to make it take the "hostame" from the Device it's receiving the Syslog from?

I'm assuming I have to make some variable changes in the rsyslog.conf?

Note I'm using Rsyslog with Loganalyzer with MYSQL as my base.

Thank you,
levipederson
New
 
Posts: 7
Joined: Mon Apr 06, 2015 10:00 pm

Re: 3com 4200G and HP A5120 syslog wrong hostname

Postby rgerhards » Tue Apr 07, 2015 3:47 pm

Well, even I as a human cannot figure out what the hostname may be. Do you find it somewhere in rawmsg?

Side-note: the message is severly malformed, I would say it's not a syslog message at all...
rgerhards
Site Admin
 
Posts: 3806
Joined: Thu Feb 13, 2003 11:57 am

Re: 3com 4200G and HP A5120 syslog wrong hostname

Postby levipederson » Tue Apr 07, 2015 4:02 pm

Rgr,

Hmm. I am unaware as to where that rawmsg may sit. I followed the previous instructions and expanded the Debug. Where might I start to look for the original Message?

Thank you,
levipederson
New
 
Posts: 7
Joined: Mon Apr 06, 2015 10:00 pm

Re: 3com 4200G and HP A5120 syslog wrong hostname

Postby rgerhards » Tue Apr 07, 2015 4:12 pm

Well, it's the field that's named "rawmsg". Here is a copy from your posting with the relevant part:

rawmsg: '<189>36265: RP/0/RSP0/CPU0:Apr 7 14:33:51.207 : config[65844]: %MGBL-SYS-5-CONFIG_I : Configured from console by ***** on vty0 (10.13.255.18) '

HTH
Rainer
rgerhards
Site Admin
 
Posts: 3806
Joined: Thu Feb 13, 2003 11:57 am

Re: 3com 4200G and HP A5120 syslog wrong hostname

Postby levipederson » Tue Apr 07, 2015 4:19 pm

Rainer,

Ah, I see what you mean. You are correct several more messages have come through the debugger with no information on their hostname. It's an ASR9001 running XR. I'll keep looking at settings on the router. I do have an SRX VC Cluster that is not only getting the correct hostname, but also getting the correct VC node. Rather frustrating.

Thank you,
levipederson
New
 
Posts: 7
Joined: Mon Apr 06, 2015 10:00 pm

Re: 3com 4200G and HP A5120 syslog wrong hostname

Postby levipederson » Tue Apr 07, 2015 5:00 pm

Rainer,

Found it!!!!

Turns out I had to do the following in Cisco

config t
logging [SyslogIP] hostnameprefix [ProperHostName]
end
yes

So I now have the Hostname in the Debug

Code: Select all
 Debug line with all properties:
FROMHOST: '10.1.214.9', fromhost-ip: '10.1.214.9', HOSTNAME: '10.1.214.9', PRI: 189,
syslogtag '36275:', programname: '36275', APP-NAME: '36275', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Apr  7 10:47:06', STRUCTURED-DATA: '-',
msg: ' [ProperHostName] RP/0/RSP0/CPU0:Apr  7 15:47:06.780 : config[65844]: %MGBL-SYS-5-CONFIG_I : Configured from console by *** on vty0 (10.205.80.89) '
escaped msg: ' [ProperHostName] RP/0/RSP0/CPU0:Apr  7 15:47:06.780 : config[65844]: %MGBL-SYS-5-CONFIG_I : Configured from console by *** on vty0 (10.205.80.89) '
inputname: imudp rawmsg: '<189>36275: [ProperHostName] RP/0/RSP0/CPU0:Apr  7 15:47:06.780 : config[65844]: %MGBL-SYS-5-CONFIG_I : Configured from console by ****  on vty0 (10.205.80.89) '
$!:
$.:
$/:


So now my query is how to get that information INTO the field of Host

Thank you,
levipederson
New
 
Posts: 7
Joined: Mon Apr 06, 2015 10:00 pm

Google Ads



Return to Help

Who is online

Users browsing this forum: No registered users and 0 guests

cron