Balazs Scheidler wrote:
On Wed, 2009-11-04 at 15:05 -0500, Tim Boyer wrote:
I'm running syslog-ng 3.03 on a RHEL5 system, sending logs to various files like so:
# global log files destination deservers { file("/var/log/$HOST.log" owner(root) group(hobbit) perm(0640)); };
It's working fine on the Linux boxes. But I'm using Adiscon's EventLog on my Windows machines, and the $HOST name on them are coming up in all caps.
[root@buran log]# ls -la /var/log/*.log
... -rw-r----- 1 root hobbit 282 Nov 4 14:37 /var/log/KANTECH.log -rw-r----- 1 root hobbit 535181 Nov 4 14:24 /var/log/PLCDATA.log
Where's this $HOST macro get its data from? The DNS entry is lower case; the full computer name on the Windows box is lower case. I don't see where the upper is coming from, unless it's one of those weird Windows-to-Unix translation things.
Not a big deal, but a bit of an annoyance. Thanks for any help.
I guess the client is sending the hostname in all caps, you can confirm it with tcpdump.
You can force lowercase hostnames using the option:
normalize-hostnames(yes)
Balazs - Looks like I spoke too soon. Something odd is happening. I put the option into the conf file: @version: 3.0 # # global options # options { normalize_hostnames(yes); use_fqdn(no); use_dns(yes); dns_cache(yes); keep_hostname(yes); long_hostnames(off); create_dirs(yes); } and restarted last night. I deleted all of the upper-case log files. One worked - I've got this file: -rw-r----- 1 root hobbit 4048 Nov 6 06:13 plcdata.log but I've also got this from the same machine: -rw-r----- 1 root hobbit 4395 Nov 6 06:51 PLCDATA.log and this one hasn't changed at all: -rw-r----- 1 root hobbit 36847 Nov 6 06:56 Antivirus-2008.log -- -- tim -- Tim Boyer Denman Tire Corporation