On Thu, Jan 02, 2003 at 03:28:49PM -0500, Noam Meltzer wrote:
I thing you confused it a little... According to my last message (and a similar thread I created recently) The problem with the hostname resolving of Solaris is fixed with using:
keep_hostname(no)
But, I would really like to understand what's going on in there. Is my assumption correct?
No. syslog-ng parses the incoming message, but the format of messages is _very_ vague. Depending on the sender the message itself can have many form. The problem here was the sender program contains a space, and Solaris syslogd does not add originating hostname to its local messages (unless it relays the message) Thus it is not possible to decide whether the message received contains 'hostname' & 'program' or a single 'program' but with a space in it. keep_hostname() is not a solution, just a workaround, so syslog-ng itself does not rewrite the hostname. The filter expression host('^hostname$') would still use the part before the space (e.g. the program name). The solution is to fix the sender program, no better workaround exists in syslog-ng. Nate, the problem does not apply to local messages only, it happens to cases when Solaris sends these messages via UDP. It is not a solution to simply assume that there is no hostname for local messages -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1