2004-05-17, h keltezéssel 07:14-kor Jason Haar ezt írta:
Hi there
I don't know if this is a bug with syslog-ng-1.6.4 or NTsyslog (which generated the syslog record), but we have a problem with records generated by some NT applications showing up "corrupted" within syslog-ng.
Namely it thinks the hostname is the process name.
However, looking with a sniffer shows what is really going on:
NTSyslog records generally look like:
<(facility tag)>May 17 14:22:22 security[success] blah blah
and syslog-ng records that as
timestamp PTR-record security[success] blah blah
However, what if the process name has spaces in it? It looks like
<(facility tag)>May 17 14:22:22 trend user alert micro scanmail for microsoft \ exchange[warning]: (msg)
syslog-ng records that as
timestamp trend user alert micro scanmail...
I think syslog-ng is looking at the first word as the process name, and if it doesn't "look like a process name", then it assumes it must be the hostname?
yes, exactly. when there are two words before the first '[' or ':' it assumes the first is the hostname the second is the program name. The program name may not contain spaces per RFC3164. there's the bad_hostnames() and check_hostname() options, which might help, provided there are no hosts containing the substring 'trend' options { bad_hostnames("^trend$"); }; -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1