Guys<br><br>We're not on the same page here. I have already addressed the missing hostname by forcing syslog-ng to use dns to lookup its own hostname and then insert it.<br>All I was asking is if I can make syslog truly "insert" the hostname. Currently it simply overwrites whatever is in this field (This this case the word "Server")<br>
and replaces it with the correct hostname.<br>I was simply saying that this field which was just overwritten might have contained important loginfo - that's all. It doesn't in this case but what if it did.<br>So to make this clear syslog can do this<br>
<br>Replace "Server Administrator" with "{hostname} Administrator"<br><br>I was wondering if it could instead do this :<br><br>Replace "Server Administrator" with "{hostname} Server Administrator" in order not to truncate the log content.<br>
<br>On a side node instead of using dns wouldn't it be great if syslog could do a "gethostbyname" instead to figure out its own hostname ? Should be much more efficient<br>for local log source like this.<br>
<br><div class="gmail_quote">On Thu, Sep 2, 2010 at 5:28 PM, Lance Laursen <span dir="ltr"><<a href="mailto:lance@demonware.net">lance@demonware.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Hmm. Well, if you can't put an intermediary syslog server with use_dns enabled between your Dell app and the load balancer, I think you're outta luck. If the log message doesn't contain a hostname, and the sending IP is that of the load balancer, then syslog really has no way to know where the message came from. You could write Dell and ask them to conform to RFC syslog standards but I don't think that's going to happen any time soon :).<div>
The only other thing I can think of is that if you only have one dell openManage box, you could filter for something specific to those logs then apply a static hostname using a template. But that method sucks and doesn't work as soon as you have two openManage boxes forwarding syslogs.</div>
<div><div><div></div><div class="h5"><br><br><div class="gmail_quote">On Thu, Sep 2, 2010 at 3:39 PM, stucky <span dir="ltr"><<a href="mailto:stucky101@gmail.com" target="_blank">stucky101@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
That's exactly the problem. I cannot keep a hostname that was never written in the first place.<br>The DELL server administrator doesn't send it. As per my email below it sends this :<div><br><br>Aug 16 21:47:22 Server Administrator: Storage Service EventID: 2242> The Patrol Read has started.: Controller 0 (PERC 5/i Integrated)<br>
<br></div>So If I do a "keep_hostname" syslog-ng assumes that the server is called "Server" which is of course wrong.<div><div></div><div><br><br><div class="gmail_quote">On Thu, Sep 2, 2010 at 8:21 AM, Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi@balabit.hu" target="_blank">bazsi@balabit.hu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div><div></div><div>On Tue, 2010-08-17 at 18:26 -0700, stucky wrote:<br>
> Guys<br>
><br>
> I'm trying to log to a loadbalanced VIP. It seems to work ok except<br>
> that the loadbalancer uses SNAT so I loose my source IP.<br>
> This means I cannot use dns or even the source ip to get the source<br>
> host as all logs appear to come from the same source (the<br>
> loadbalancer).<br>
> This means I have no choice but to rely on the hostname field which<br>
> works about 98% of the time but some stuff like Dell OpenManage skips<br>
> the hostname field.<br>
> So I'd get logs like this on host "cage" f.e.<br>
><br>
> Aug 16 21:47:22 Server Administrator: Storage Service EventID: 2242<br>
> The Patrol Read has started.: Controller 0 (PERC 5/i Integrated)<br>
><br>
> I fixed that by telling the syslog-ng client to force itself to figure<br>
> out a proper hostname and now the log looks like this<br>
><br>
> Aug 17 13:51:10 cage Administrator[]: Instrumentation Service EventID:<br>
> 1000 Server Administrator starting<br>
><br>
> I thought syslog-ng inserts the hostname but by the looks of it it<br>
> simply replaces whatever is in the expected field with the hostname it<br>
> has just figured out.<br>
> As you can see it overwrote the entry "Server".<br>
> No biggie in the above case but what if this field contained valuable<br>
> information ? I'd loose that.<br>
> Any way to squeeze in the hostname so to speak ?<br>
<br>
</div></div>what about keep_hostname(yes) ?<br>
<div><div></div><div><br>
<br>
--<br>
Bazsi<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
</div></div></blockquote></div><br><br clear="all"><br></div></div>-- <br><font color="#888888">stucky<br>
</font><br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
<br></blockquote></div><br><br clear="all"><br>-- <br></div></div>Lance Laursen<br>Demonware Systems Engineer<br>
</div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
<br></blockquote></div><br><br clear="all"><br>-- <br>stucky<br>