Another option could be to use $HOST_FROM. At our site, we used the hostname as part of the directory path, and we were seeing hostnames that were quite strange appaering from time to time until we switched to using $HOST_FROM in the destination path. The problem is that a number of "syslog" messages are not formatted correctly, so the parser pulls out incorrect portions of the log message interpreting them as the host name. The downside is that we end up with directories by IP address instead of hostname, but the upside is we are no longer dependent on how every application formats their log messages. (Caveat: If you forward messages more than once, you would get the address of the sending server, not the originating system.) Jim -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Thursday, March 18, 2010 6:17 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Specific log messages have wrong hostname On Fri, 2010-03-12 at 13:02 -0500, Christopher Jon Caldwell wrote:
All of the syslog messages sent by our Solaris servers that contain output from the service processor are getting the wrong hostname assigned to them - the log messages get filed under the hostname of the receiving syslog-ng server. They all share the same process name "SC Alert". The packets look correctly formed so I am assuming it is the space in the process name. Any way to fix this without dropping the messages completely using something like bad_hostname? We are running 2.1.11a Enterprise Edition.
bad_hostname() was invented for this purpose. Or the 3.0.x versions provide rewrite functionality that lets you fix things like this. -- Bazsi ____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html