According to support, when using a Syslog-NG server, the Syslog-NG server itself should have "Remove relay headers" de-selelected, and all the devices that are being forwarded should have it selected. But in working with my client, all messages coming across are undefined for AIX, Linux and Solaris when we set it up this way. The devices are "discovered" as unknown, and we have to manually set the device type.
Here is an example of an AIX SU event.
Mar 2 15:14:36 WebServer1 su: BAD SU from 188.8.131.52 to root at /dev/pts/1
In enVision event viewer , we have the Index | Date/Time | Device | and then the Event, which does not contain the date/time or hostname.....
Here is what we see in the event field:
su: from root to oracle at /dev/pts/3
sshd: Accepted password for xxxxxxx from 184.108.40.206 port 999 ssh2
Shouldn't they read:
Jun 8 12:40:33 220.127.116.11 su: from root to oracle at /dev/pts/3
Jun 8 12:40:33 18.104.22.168sshd: Accepted password for xxxxxxx from 22.214.171.124 port 999 ssh2
Is this portion being removed by the remove relay header setting? enVision does not appear to recognize the events without this info. We created some dummy records in Solaris that had this date/time and host info, and the events were recognized.
This was recognized as an event by enVision for Solaris:
Jun 8 12:40:33 126.96.36.199 cacao_launcher: [ID 702911 daemon.crit] SUNWcacaort launcher : No retries available
This was *not* recognized:
cacao_launcher: [ID 702911 daemon.crit] SUNWcacaort launcher : No retries available