[syslog-ng] Irregular Behaviour With Snare Agent (syslog-ng or Snare?)
wiskbroom at hotmail.com
wiskbroom at hotmail.com
Tue May 13 16:48:31 CEST 2008
Greetings;
I currently have syslog-ng.conf set up to place data into logs in the following way:
/var/log/MyHosts/SambaServers/$FULLHOST.log
When the logs are created, they are placed under:
/var/log/MyHosts/SambaServers/samba-1.mynet.org/samba-1.mynet.org.log
The contents for the hostname field in logs from samba-1 look like this:
May 13 10:32:55 samba-1.mynet.org/samba-1.mynet.org
Because of the double entry in syslog, all looks fine and logs are stored in nice neat folders named after the host that sent them, great.
I have however a few MS Wintel servers that I am using Snare for sending syslog data to, and their logs look like:
May 13 10:36:15 samba-2.mynet.org MSWinEventLog 1 Security
As you can see, the logs from this host do not contain the hostname twice, therefore logs for this host are stored as:
/var/log/MyHosts/SambaServers/samba-2.mynet.org.log
I can create a rule like /var/log/MyHosts/SambaServers/$FULLHOST/$FULLHOST.log for just these hosts, but that will not solve my problem long term, especially as I am considering implementing Snare site-wide.
Could someone please advise as to whether there is an easy fix for this, or should I cease using Snare?
Thanks in advance,
.vp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20080513/6cdf7615/attachment.htm
More information about the syslog-ng
mailing list