<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi,<br>
<br>
Tim Boyer írta:
<blockquote cite="mid:4AF41113.2090507@denmantire.com" type="cite">
<pre wrap="">Balazs Scheidler wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Wed, 2009-11-04 at 15:05 -0500, Tim Boyer wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I'm running syslog-ng 3.03 on a RHEL5 system, sending logs to various files
like so:
# global log files
destination deservers {
file("/var/log/$HOST.log" owner(root) group(hobbit) perm(0640));
};
It's working fine on the Linux boxes. But I'm using Adiscon's EventLog on
my Windows machines, and the $HOST name on them are coming up in all caps.
[root@buran log]# ls -la /var/log/*.log
...
-rw-r----- 1 root hobbit 282 Nov 4 14:37 /var/log/KANTECH.log
-rw-r----- 1 root hobbit 535181 Nov 4 14:24 /var/log/PLCDATA.log
Where's this $HOST macro get its data from? The DNS entry is lower case;
the full computer name on the Windows box is lower case. I don't see where
the upper is coming from, unless it's one of those weird Windows-to-Unix
translation things.
Not a big deal, but a bit of an annoyance. Thanks for any help.
</pre>
</blockquote>
<pre wrap="">I guess the client is sending the hostname in all caps, you can confirm
it with tcpdump.
You can force lowercase hostnames using the option:
normalize-hostnames(yes)
</pre>
</blockquote>
<pre wrap=""><!---->
Balazs -
Looks like I spoke too soon. Something odd is happening.
I put the option into the conf file:
@version: 3.0
#
# global options
#
options {
normalize_hostnames(yes);
use_fqdn(no);
use_dns(yes);
dns_cache(yes);
keep_hostname(yes);
long_hostnames(off);
create_dirs(yes);
}
</pre>
</blockquote>
You should not use "keep_hostname" in the part of global options
because this one will block rewriting of the hostname (see syslog-ng
admin guide:
<a class="moz-txt-link-freetext" href="http://www.balabit.hu/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s09.html">http://www.balabit.hu/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s09.html</a>).<br>
If you need it really use this option in every source where you need it<br>
<blockquote cite="mid:4AF41113.2090507@denmantire.com" type="cite">
<pre wrap="">and restarted last night. I deleted all of the upper-case log files.
One worked - I've got this file:
-rw-r----- 1 root hobbit 4048 Nov 6 06:13 plcdata.log
but I've also got this from the same machine:
-rw-r----- 1 root hobbit 4395 Nov 6 06:51 PLCDATA.log
and this one hasn't changed at all:
-rw-r----- 1 root hobbit 36847 Nov 6 06:56 Antivirus-2008.log
</pre>
</blockquote>
<br>
</body>
</html>