On Thu, Jan 02, 2003 at 10:43:45AM +0100, Balazs Scheidler wrote:
the problem is ctlds sends a space in the program name tag, thus syslog-
ng
interprets 'ctlds' as hostname and '6.0' as program name. as keep_hostname() is set to no it rewrites originating host name.
Try setting keep_hostname() to yes, it will not touch the hostname then.
Right but "ctlds" isn't the hostname, larry is. My logs are wrong either way - I either lose half my program name or get the wrong hostname. Either way I lose.
Arg, I actually wrote my own syslog daemon to relay and rewrite all these last year. The only way to fix this with syslog-ng would be to add a feature like
options { bad_hostnames("ctlds","last"); };
When syslog-ng sees either of these:
Jan 2 15:06:47 ctlds 6.0[11718]: [0] Request error (500): Template processing error Jan 2 15:06:47 last message repeated 123 times
It knows to actually shift the message over one place to the right and stick the value of the $FULLHOST_FROM macro in there. Even if I tried templating out the message on my own syslog-ng will still think that "ctlds" or "last" isn't part of the message and it'll get lost.
Better is to implement source templates. This way you can precisely describe input line, so if you know your source never appends host name, you just omit this from template. Something like source s_stream { unix-stream("/dev/log" max-connections(10)); template(DATE PROG[PID]:... );}; Cheers -andrey