On Mon, Nov 07, 2005 at 09:45:15PM -0500, Crayola wrote:
I have noticed in my syslog-ng database (mysql) that there are many entries like these. (two separate rows)
This is the original syslog messages that the Solaris 9 client logs to its logs.
Nov 5 22:37:20 lefou scsi: [ID 365881 kern.info] /sbus@a,0/QLGC,isp@1,10000 (isp1): Nov 5 22:37:20 lefou Firmware Version: v1.37.5, Customer: 15, Product: 0
This problem is fully explained here: http://www.campin.net/syslog-ng/syslog.html It's because when syslog-ng sees it, Solaris has left off the hostname. It looks like this (I made up the PRI value, in case anyone is wondering): <13>Nov 5 22:37:20 Firmware Version: v1.37.5, Customer: 15, Product: 0 ...and syslog-ng sees a completely valid message with a hostname "Firmware" and a program name "Version:". This happens to everyone who uses Solaris syslogd clients sooner or later, and it is exactly the reason that the bad_hostname() option was created. This means that you can do one of two things: 1. replace Solaris syslogd with syslog-ng (easy if you run something like cfengine to automate the installs, hard if not, and it might cause problems with vendor support) 2. put this in your config file: options { bad_hostname("Firmware"); ...whatever else... }; The example Solaris syslog-ng config file has bad_hostname() in it: http://www.campin.net/syslog-ng/solaris-conf.txt -- Nate "A C program is like a fast dance on a newly waxed dance floor by people carrying razors." - Waldi Ravens.