syslog in redhat5

Latest response

In RedHat 5 , classic syslog is enabled and configured to forward logs to a remote syslog server. I've noticed forwarded logs have been excluded "Date,Time" and "IP-address" of the host.

raw log example : (It is without Time , Date and IP-address)
<85>sudo: em : TTY=unknown ; PWD=/home/em ; USER=root ; COMMAND=/usr/sbin/dmi

also it is not possible to change from syslog to rsyslog.
what is the solution for this issue regardless of changing to rsyslog?

Responses

We started shipping rsyslog v3 in RHEL 5.2 as the rsyslog package and then added the rsyslog5 package later on. See: Matrix of rsyslog versions shipped in Red Hat Enterprise Linux

So your approach to migrate would be:

yum install rsyslog5
chkconfig syslog off; chkconfig rsyslog on
service syslog stop; service rsyslog start

All that said, if you're having trouble sending messages from sysklogd to a remote server over UDP, I first need to know what the remote machine is. Assuming rsyslog, you simply need to modify the config on the receiving rsyslog server.

As to your first question (I've noticed forwarded logs have been excluded "Date,Time" and "IP-address" of the host): I've never seen that before. If you configure RHEL5's sysklogd to send logs to rsyslog in RHEL7, it will work just fine, so the problem is on whatever log server you've got setup to receive your RHEL5 logs.

Thanks Ryan at first step, I need to be sure there is no other solution unless migrating to rsyslog. my remote syslog server is "HP-Arcsight logger" indeed and its platform is RHEL6 with rsyslog. I've not encountered any issue on the RHEL6 host servers(rsyslog is installed on them). Also please be note that as I checked on the hosts by tcpdump , the logs are without "Date,Time" and "IP-address" . So, I guess regardless of receiver, sysklogd doesn't forward logs fully convincing. for your consideration : I have this problem on the solaris hosts as well (which syslog is installed), with a difference : on those hosts , "Date,Time" s are forwarded but "IP-address" or "Hostname" NOT.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.