On Fri, Nov 09, 2001 at 09:45:34AM +0100, Balazs Scheidler wrote:
On Thu, Nov 08, 2001 at 11:35:38PM -0800, Nate Campi wrote:
On Wed, Nov 07, 2001 at 05:49:00PM -0800, Nate Campi wrote:
The problem is that a message like this on a solaris 2.6 box:
Nov 7 04:05:45 ballys ctld 5.0.6[22164]: [0] Error: unable to read header - Status: NoMoreData.
...will arrive (via UDP) on my linux loghost (syslog-ng 1.4.12) like this:
Nov 7 04:05:45 ballys.hotwired.com 5.0.6[22164]: [0] Error: unable to read header - Status: NoMoreData.
Can anyone tell me why the program info is lost when solaris 2.6 sends my message over UDP to syslog-ng 1.4.12?
probably because the strange format of the message. as I read the code, anything after the hostname until '[' or ':' is taken part of the program which sent the message, at least this is true when every part of the message is received.
try to snoop the network (or truss syslog-ng) to find out how the message was sent "exactly".
I suspect that there's no timestamp in the message and no hostname either, so syslog-ng parses ctld as the hostname and 5.0.6 and programname, and later it replaces ctld to the hostname the given message was received from. (this can be changed with keep_hostname(yes or no))
So if I set "keep_hostname(yes)" I'll just get: Nov 7 04:05:45 ctld 5.0.6[22164]: [0] Error: unable to read header - Status: NoMoreData. ...right? Sounds like this needs a bug report with the software vendor, assuming I can verify that their syslog messages are wrong. -- Nate Campi http://www.campin.net GnuPG key: 0xC17AEF79 Key fingerprint = BF12 722F 8799 E614 33CC FAB7 5A90 C464 C17A EF79 A mathematician is an engine for converting coffee into theorems.