[Apologies if this has been reported before, but I couldn't find any mention of it. Also, my apologies if this shows up twice. I sent it yesterday, but after 24 hours, it hasn't hit the list yet, so I'm resending.] It appears that Syslog-NG 2.0.x (tested with 2.0.9) will mangle originating source hostname when it begins numerically hostnames, and this also causes errors with date/time handling. Verified with Syslog-NG 2.0.9 on Red Hat Enterprise Linux 3 To duplicate and display the bug (destination(d_log_expanded) and template added to more easily display what's going on): [root@logbox syslog-ng]# cat syslog-ng.conf options { sync(0); chain_hostnames(yes); }; source s_net { tcp(); }; destination d_log { file("/tmp/test.log") ; }; destination d_log_expanded { file("/tmp/test-long.log" template("Date: $DATE, Sender Unixtime: $S_UNIXTIME, Receiver Unixtime: $R_UNIXTIME, Host: $FULLHOST Message: $MSGONLY\n") template_escape(no)) ; }; log { source(s_net); destination(d_log); }; log { source(s_net); destination(d_log_expanded); }; [root@logbox tmp]# cat /tmp/problem-log <0d>Mar 31 04:41:57 1234-xxxx/192.168.1.1 TestLog: This is a test log that includes the relevant bits of the original log, before Syslog-NG mangles them: "Mar 31 04:41:57 1234-xxxx/192.168.1.1 TestLog: This is a test log. . ." [root@logbox tmp]# cat < /tmp/problem-log | nc localhost 514 [root@logbox tmp]# tail -1 *.log ==> test.log <== Dec 31 17:59:59 -xxxx/192.168.1.1/localhost TestLog: This is a test log that includes the relevant bits of the original log, before Syslog-NG mangles them: "Mar 31 04:41:57 1234-xxxx/192.168.1.1 TestLog: This is a test log. . ." ==> test-long.log <== Date: Dec 31 17:59:59, Sender Unixtime: -1, Receiver Unixtime: 1207676046, Host: -xxxx/192.168.1.1/localhost Message: This is a test log that includes the relevant bits of the original log, before Syslog-NG mangles them: "Mar 31 04:41:57 1234-xxxx/192.168.1.1 TestLog: This is a test log. . ." You can see from the above that the '1234' is being stripped from the originating hostname '1234-xxxx', and the sender timestamp is then being mangled to -1. It appears to only pull the first 4 numbers from the source hostname (assuming there are more numbers, such as '123456-xxxx'), and it only happens when the hostname starts numerically. If you add a non-numeric character to the beginning part of the hostname, it is handled correctly (such as 'z1234-xxxx' or '12z34-xxxx'). -- Christopher Cashell ____________________________________ Christopher Cashell Systems & Network Security Engineer phone: 402.361.3065 fax: 402.361.3165 e-mail: christophercashell@solutionary.com Solutionary, Inc. www.Solutionary.com Making Security Manageable _____________________________________ Confidentiality Notice The content of this communication, along with any attachments, is covered by federal and state law governing electronic communications and may contain confidential and legally privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, use or copying of the information contained herein is strictly prohibited. If you have received this communication in error, please immediately contact us by telephone at (402) 361-3000 or e-mail security@solutionary.com. Thank you. Copyright 2000-2007, Solutionary, Inc. All rights reserved. ActiveGuard, eV3, Solutionary and the Solutionary logo are registered marks of Solutionary, Inc. SecurCompass is a service mark of Solutionary, Inc.