Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

AIX log ingestion issue

Copper Contributor

I am sending AIX logs to a central rsyslog server and using the Syslog Connector to pull the logs into Azure Sentinel. The ComputerName field is populating as `Message` and not the actual hostname or IP of the system. Anyone have thoughts on how to fix this?

3 Replies

Long story short, AIX adds a "Message forwarded by $hostname" string. You have to start syslogd on AIX with the flags:

startsrc -a -n -s syslogd

same issue i am facing.
@ackmysyn, i did as you suggested but still hostname ip address is not coming in logs.
any help will be highly appreciated


The "-n" flag is programed to suppress the "Message forwarded from <log_host_name>: " string in the beginning of the forwarded syslog messages.

 

The issues happen with older AIX 6.1 and AIX 5.3.

 

This is how syslogd looks in AIX 6.1 process table:

root 57868508 4718660 0 May 23 - 1:01 /usr/sbin/syslogd -n

 

And this is how it looks in AIX 7.2 process table:

root 4129234 1311450 0 Feb 06 - 0:10 /usr/sbin/syslogd

 

What you need to do to clear out the "-n" flag is this:

# chssys -s syslogd -a ""
# stopsrc -s syslogd; startsrc -s syslogd