When skimming through the old code I extract that the regexp will be applied to all hostnames matching in a log message. Dumb question: what's the use case of this and why isn't there a general regexp function?
It's for solaris-style network messages that leave out the hostname, but then send a badly formatted message (I know this is from a Linux host but bear with me):
<13>Oct 7 14:03:28 device eth0 entered promiscuous mode
The above message should be easy to figure out that there's no hostname because the second field doesn't have a colon like a message from postfix would have (I'm just arbitrarily assigning 13 as the PRI):
<13>Oct 7 14:22:56 postfix/smtpd[9753]: lost connection after RCPT from 1Cust4795.an3.chi30.da.uu.net[63.26.50.187]
But what happens if you have a program name on a solaris host that has a space in it?
<13>Oct 7 14:22:56 ctld 8.9[123]: this is a dumb message
...then syslog-ng will assume that the hostname is ctld - when that's not right, the program name is "ctld 8.9". Using bad_hostnames() we can tell syslog-ng which strings our site sends that really aren't hostnames.
This should be in the man page ;). So how do you set bad_hostname in your example? bad_hostname("ctld")? But in this case you better not have a host named ctld.
Simple as that. Comes in handy at every site for things like "last message repeated xx times", I'd imagine. When you use the $HOST macro this becomes critical to avoid using the wrong hostnames.
I need to check out how we do the syslog configuration for our customers.
Make sense?
Thanks, Nate. Yes it does, but does it handle all possible cases? Maybe the Pareto principle applies ... Thanks and regards, Roberto Nibali, ratz -- echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc