On Wed, Jan 16, 2002 at 07:45:26PM +0100, Nate Campi wrote:
On Wed, Jan 16, 2002 at 05:14:11PM +0100, Hildenbrand, Patrick wrote:
some more info.
tracing the output of the SSR, the packet does not contain the hostname at the proper place but only the timestamp. So the output looks like (translated into ascii): <174>Jan 13 04:02:12 %ACL_LOG-I-DENY, ACL [280] on "rtfa" UDP 192.168.1.2:4721 -> 14.9.1.3:53
this is the ascii converted hexdump of the package, there is only a single space between date and message.
[ ... ]
Linux syslog sends messages like this:
<123>named[123]: another error from BIND, you should use djbdns my debugging showed the prio beeing only two digits (ex. <23>) but yes and the difference is, there is even no timestamp, why this case is explicitly covered in the RFC, while the case of the cabeltron ssr is not. This is probably also why syslog-ng does not have a problem with this case, it gets logged as: Jan 17 08:11:21 hwdf0006/hwdf0006 PAM_pwdb[22525]: (sshd) session close so syslog-ng correctly adds time and hostname to the log entry. The format of linux (and others) is: <Prio>message The format of the SSR is: <Prio>datetime<space>message The format the RFC suggests is: <Prio>datetime{space}hostname{space}message
It is up to the relay/collector to input the complete header. this is my understanding from the rfc too, but how do I get this using syslog-ng ?
I missed the beggining of this thread, is "%ACL_LOG-I-DENY" getting set as your hostname? I had the same problem with solaris logs when the "TAG" field had a space in it, so syslog-ng (correctly) thinks the first part of the process name (in the "TAG") was the hostname. I wrote a syslog proxy to overcome this, since I can't ask syslog-ng to stop following standards. as said above, there is one space between date and message but according to the standard, there is no standard on how devices do send their messages Perhaps syslog-ng can have a configuration setting where if it receives a certain string in the hostname field, you can set keep-hostname to no for just that message. That would save the day for me, but I don't know how hard it would be to implement that. Well I would vote for getting a setting just the other way around, so for being able to configure something like options( addhostname(<pattern>) which would lead to the hostname being added if the pattern is matched and the pattern then being treated as part of the message. For me this just would be a '^%' as every message of the ssr is prepended with the percent sign ;-)
still do not know how much work it would be but ..... BTW: I do not know how the linux syslog does it, but it does not have this problem. Maybe because '%' is not a valid char for hostnames. linux syslog is a pretty standard syslog I'd guess, though you could argue, wether this is correct according to the standard. Linux syslog displays the message above as: Jan 13 04:02:12 1.2.3.4 %ACL_LOG-I-DENY, ACL [280] on "rtfa" UDP 192.168.1.2:4721 -> 14.9.1.3:53 so it automagically adds the ip address to the message. Again maybe because of the '%' and ',' signs inside the string at the <hostname> position.
-- Nate Campi <http://www.campin.net> GnuPG key: 0xC17AEF79
Kind regards, Patrick Hildenbrand
Patrick Hildenbrand Operations & Technology SAP Hosting AG & Co. KG Raiffeisenring 45 68789 St. Leon-Rot, Germany T +49/6227/7-66410 F +49/6227/7-66301 E patrick.hildenbrand@sap.com http://www.saphosting.com