According to support, when using a Syslog-NG server, the Syslog-NG server itself should have "Remove relay headers" de-selelected, and all the devices that are being forwarded should have it selected. But in working with my client, all messages coming across are undefined for AIX, Linux and Solaris when we set it up this way. The devices are "discovered" as unknown, and we have to manually set the device type.
Here is an example of an AIX SU event.
Mar 2 15:14:36 WebServer1 su: BAD SU from 184.108.40.206 to root at /dev/pts/1
In enVision event viewer , we have the Index | Date/Time | Device | and then the Event, which does not contain the date/time or hostname.....
Here is what we see in the event field:
su: from root to oracle at /dev/pts/3
sshd: Accepted password for xxxxxxx from 220.127.116.11 port 999 ssh2
Shouldn't they read:
Jun 8 12:40:33 18.104.22.168 su: from root to oracle at /dev/pts/3
Jun 8 12:40:33 22.214.171.124sshd: Accepted password for xxxxxxx from 126.96.36.199 port 999 ssh2
Is this portion being removed by the remove relay header setting? enVision does not appear to recognize the events without this info. We created some dummy records in Solaris that had this date/time and host info, and the events were recognized.
This was recognized as an event by enVision for Solaris:
Jun 8 12:40:33 188.8.131.52 cacao_launcher: [ID 702911 daemon.crit] SUNWcacaort launcher : No retries available
This was *not* recognized:
cacao_launcher: [ID 702911 daemon.crit] SUNWcacaort launcher : No retries available