On Thu, Nov 08, 2001 at 11:35:38PM -0800, Nate Campi wrote:
On Wed, Nov 07, 2001 at 05:49:00PM -0800, Nate Campi wrote:
The problem is that a message like this on a solaris 2.6 box:
Nov 7 04:05:45 ballys ctld 5.0.6[22164]: [0] Error: unable to read header - Status: NoMoreData.
...will arrive (via UDP) on my linux loghost (syslog-ng 1.4.12) like this:
Nov 7 04:05:45 ballys.hotwired.com 5.0.6[22164]: [0] Error: unable to read header - Status: NoMoreData.
Can anyone tell me why the program info is lost when solaris 2.6 sends my message over UDP to syslog-ng 1.4.12?
probably because the strange format of the message. as I read the code, anything after the hostname until '[' or ':' is taken part of the program which sent the message, at least this is true when every part of the message is received. try to snoop the network (or truss syslog-ng) to find out how the message was sent "exactly". I suspect that there's no timestamp in the message and no hostname either, so syslog-ng parses ctld as the hostname and 5.0.6 and programname, and later it replaces ctld to the hostname the given message was received from. (this can be changed with keep_hostname(yes or no)) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1