On Sat, Jan 19, 2002 at 10:06:27PM +0100, Balazs Scheidler wrote:
Message parsing is as follows: (it's in the file log.c, function parse_log_msg)
* parse priority if present (decided based on the first chracter) * skip white space if present * check if we have something that looks like date * if we have date: * skip white space after date * check if we have an AIX "forwarded for" or a "last message repeated" message * if nothing is special, we look for the first word up to ' ' or ':' or '[' * if the first word isended by a space, it is taken as hostname, otherwise as programname
Perhaps we could make this: * if the first word is ended by a space *and doesn't match the conf file param bad_hostnames(),* it is taken as hostname, otherwise as programname. *If the hostname matches bad_hostnames(), the result of gethostbyaddr() is inserted as the hostname, with the original value of the hostname field pushed into the message contents.* So bad_hostnames() could be a list of string that are known program names that show up as hostnames in our logs. I have software that sends the prog name like this "ctld 5.0.6:" - so syslog-ng thinks "ctld" is the hostname (solaris system so network syslog packets are transmitted without the hostname field). If I could tell syslog-ng that "ctld" is *not* a hostname, and this would be great. bad_hostnames("ctld"; "ctlds"; "cmd";);
* if we don't have date: * the first word up to ' ' or '[' or ':' or '/' or ',' or '<' is taken as programname
Thanks for all your hard work on syslog-ng, Balazs. -- Nate Campi http://www.campin.net GnuPG key: 0xC17AEF79 "#define QUESTION ((bb) || !(bb))" - Shakespeare