Hi, Tim Boyer írta:
Balazs Scheidler wrote:
On Wed, 2009-11-04 at 15:05 -0500, Tim Boyer wrote:
I'm running syslog-ng 3.03 on a RHEL5 system, sending logs to various files like so:
# global log files destination deservers { file("/var/log/$HOST.log" owner(root) group(hobbit) perm(0640)); };
It's working fine on the Linux boxes. But I'm using Adiscon's EventLog on my Windows machines, and the $HOST name on them are coming up in all caps.
[root@buran log]# ls -la /var/log/*.log
... -rw-r----- 1 root hobbit 282 Nov 4 14:37 /var/log/KANTECH.log -rw-r----- 1 root hobbit 535181 Nov 4 14:24 /var/log/PLCDATA.log
Where's this $HOST macro get its data from? The DNS entry is lower case; the full computer name on the Windows box is lower case. I don't see where the upper is coming from, unless it's one of those weird Windows-to-Unix translation things.
Not a big deal, but a bit of an annoyance. Thanks for any help.
I guess the client is sending the hostname in all caps, you can confirm it with tcpdump.
You can force lowercase hostnames using the option:
normalize-hostnames(yes)
Balazs -
Looks like I spoke too soon. Something odd is happening.
I put the option into the conf file:
@version: 3.0 # # global options #
options { normalize_hostnames(yes); use_fqdn(no); use_dns(yes); dns_cache(yes); keep_hostname(yes); long_hostnames(off); create_dirs(yes); }
You should not use "keep_hostname" in the part of global options because this one will block rewriting of the hostname (see syslog-ng admin guide: http://www.balabit.hu/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s09.htm...). If you need it really use this option in every source where you need it
and restarted last night. I deleted all of the upper-case log files.
One worked - I've got this file:
-rw-r----- 1 root hobbit 4048 Nov 6 06:13 plcdata.log
but I've also got this from the same machine:
-rw-r----- 1 root hobbit 4395 Nov 6 06:51 PLCDATA.log
and this one hasn't changed at all:
-rw-r----- 1 root hobbit 36847 Nov 6 06:56 Antivirus-2008.log