Hi, I just installed syslog-ng, and had a similar experience with a certain type of switches (Alteon's). Only in this case the syslog messages were formatted so that syslog-ng saw the level as the hostname (i.e. my syslog files would be named e.g. NOTICE.log when using $HOST.log for the filename). Using the bad_hostname() option, as described below, solved the problem. However, the question this is all leading to is this: When a hostname is matched by the bad_hostname option, what mechanism does syslog-ng use to establish a new name? Best regards, Christian -----Original Message----- From: Balazs Scheidler [mailto:bazsi@balabit.hu] Sent: 7. maj 2003 13:54 To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]syslog-ng blanks in Servicename On Wed, May 07, 2003 at 12:25:28PM +0200, Unger, Christian wrote:
On Wed, Apr 30, 2003 at 12:22:34PM +0200, Unger, Christian wrote:
i log many informations via NT-Syslog to syslog-ng. Windows 2000 have some services with a blank in the Servicename. ex: NTDS ISAM
the log entry from syslog-ng seams as following: Apr 15 15:42:33 ntds isam[info] 700 NTDS (268) Online defragmentation is beginning a full pass on database 'C:\WINNT\NTDS\ntds.dit'.
NTDS ist NOT my hostname, thats the problem!
I think thats the problem is in RFC. But i don't read it. ( no time
:[ )
is there a easy escape? or will the next version of syslog-ng have a escape?
try check_hostname(yes)
----
check_hostnames(yes) doesn't help.
I checked some information's with tcpdump. An I found a very interest handling. Syslog-ng is able to handle hostnames in syslog datagram, the delimiter between hostname and service name seams to be a space. So if I have spaces in service name syslog-ng thinks that the first word must be the hostname, but that's wrong. What can I do know?
sorry, check_hostname() is meant for cases when the word seeming to be a hostname contains invalid characters (like '%'). The problem is that there is no way to distinguish between a hostname and a programname containing a space. The workaround I implemented was the bad_hostname() option, which contains a regular expression which covers bad hostnames. E.g. if you have a program that sends messages like: Apr 28 15:13:54 snmp ctld[12345]: message And "snmp ctld" is the program name, then you can use bad_hostname() to make syslog-ng think that "snmp" itself is a bad hostname. (of course this will not work if you really have a host named snmp) options { bad_hostname("snmp"); }; bad_hostname() accepts an extended regular expression so you can list several bad hostnames like this: options { bad_hostname("snmp|iis|foo|bar"); }; -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html