Hi! I have a rsyslog server with version 8.36.0.
After I updated some FTOS switches the log messages are different from those with the older version.
This is an example from a switch with the older version: Jul 19 14:46:57 jurswm22221.juris.de CES: jurswm22221: %STKUNIT0-M:CP %SSH-6-CONNECTION: Disconnected from 10.223.0.100 Jul 19 14:46:58 jurswm22221.juris.de CES: jurswm22221: %STKUNIT0-M:CP %SEC-5-LOGOUT: Exec session is terminated for user jurswadmin on line vty0 ( 10.223.0.100 ) (Reason : User Request)After the timestamp you have the hostname then the log message starting with CES:.
This is an example from a swith with the new FTOS version: Jul 19 15:40:38 CES jurswm14221 %STKUNIT0-M:CP %SSH-6-CONNECTION: Disconnected from 10.223.0.100 Jul 19 15:40:38 CES jurswm14221 %STKUNIT0-M:CP %SEC-5-LOGOUT: Exec session is terminated for user jurswadmin on line vty0 ( 10.223.0.100 ) (Reason : User Request)Interestingly here the hostname is missing after the timestamp. It starts with the log message (CES) which doesn’t have the „:” after CES and the hostname.
I made a capture file and noticed that the syslog messages are identical besides from the source IP in the UDP part, the timestamps, and the message starting with CES.
So the complete hostname that is written for switches with the older FTOS version is probably inserted by rsyslog. But why isn’t it the case with the newer versions? The reverse DNS is working.
Shade and sweet water!
Stephan
--
| Public Keys: http://fsing.rootsland.net/~stse/keys.html |
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
