Re: [syslog-ng] 3.3.7 oddity with file source

10 Feb 2013

      Just so I understand, you are saying that file sources are treated as if they were another syslog instance on the same host, sending data to the running instance.
Correct?

If you consider chain_hostnames() deprecated, what do you recommend now?

If it isn't logical how it behaves, perhaps it should be fixed so that it is logical. :-)

Evan.
________________________________________
From: Balazs Scheidler [bazsi77@gmail.com]
Sent: Saturday, February 09, 2013 10:19 PM
To: Syslog-ng users' and developers' mailing list; Evan Rempel
Subject: Re: [syslog-ng] 3.3.7 oddity with file source

hi,

the default hostname if otherwise unspecified is using this format if chain_hostnames() is enabled. this mimics the behaviour of chain_hostnames() when receiving the message locally. (the part before the slash is the host as it claimed itself to be, the part after the slash as it was resolved)

I consider the chain_hostnames() functionality to be deprecated, it's not always logical how it behaves, but this is how it worked for the past decade.

----- Original message -----
...
Normally when a syslog line is produced, the host has the format of
{source}@{hostname}
so when the log reaches my central server it looks like
2013-02-08T11:15:01-08:00
local@gpfs10.westgrid.uvic.ca<mailto:local@gpfs10.westgrid.uvic.ca>/chrysaor.westgrid.ca cron.info
CROND[20315]: ...
but on this same host, I have a file source (different source
definition), its messages go to the same destination using a separate
log statement, but when they reach the central syslog server it looks
like
2013-02-08T11:11:35-08:00
gpfs10.westgrid.uvic.ca/gpfs10.westgrid.uvic.ca/chrysaor.westgrid.ca
local2.info mmfs: ...
So it seems that the file source is populating the host with
{hostname}/{hostname}
Was this intentional?
source mmfs { file("/var/adm/ras/mmfs.log.latest" log_fetch_limit(100)
program_override(mmfs) default-facility(local2) default-priority(info)
flags(no-parse) ); };
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:
http://www.balabit.com/wiki/syslog-ng-faq