On Tue, Jun 19, 2001 at 02:56:33PM -0500, David Douthitt wrote:
Jun-XX XX:XX:XX folly* last message repeated 5 times
...and the log might look like this:
Jun-XX XX:XX:XX folly su: access denied Jun-XX XX:XX:XX folly* last message repeated 5 times Jun-XX XX:XX:XX folly --mark--
Well?
I like it. I can't recall if this in syslog-ng already, but something I have always want was for syslog-ng not to believe the remote host when it say my hostname is x, and to replace x with the IP address in the packet (not useful for forwarded logs, but thats why its an option). The problem I can see with this is there isn't really a way to tell in, "last message repeated 5 times" that the word "last" is not a hostname (I'm not that intimate with the protocol so I could be wrong). One could simply prepend a hostname to the line (with a delimiter), and this would side step the issue. The down side is you may get messages like: "folly*folly last message repeated 5 times" While typing I recall that 1.5.x has some sort of template functionality, if there is a "remote host IP" macro then you may be able to do this now.
Only problem I could see is if the hostname in the syslog entry doesn't match the name of the host as a normal event; I don't see this happening.
I can see this happening semi frequently in the enviroment, I setup boxes with one name, but the name the rest of the world uses. This is more a product of my laziness than anything else. But I prefer to log IP addresses anyway, so the point is moot (for me atleast :).
This does, however, generate more DNS traffic, unless you cache the entries - maybe within syslog-ng.
Or in the hosts file. Yes, I know you loose flexablity, but you do gain speed, and reliability. ---------------------------------------------------------------------------- __o Bradley Arlt Email: arlt@cpsc.ucalgary.ca o__ _ \<_ WWW: www.acs.ucalgary.ca/~bdarlt _>/ _ (_)/(_) -Eat well, sleep peacefully, drink lots, and ride like hell. (_)\(_)