Re: [syslog-ng] Date and Host in Syslog Format Need Swapping
According to basic syslog message formatting rules the hostname in that message *is* indeed "2008", unfortunately. Either use bad_hostnames("2008") or set keep_hostnames() to no or false (or whatever the negative is) and use DNS to get the hostnames. To understand why "2008" is the hostname read the page called something like "about syslog" linked off the syslog-ng FAQ. -----Original Message----- From: <wiskbroom@hotmail.com> Subj: [syslog-ng] Date and Host in Syslog Format Need Swapping Date: Wed Jan 16, 2008 12:46 pm Size: 440 bytes To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Hello: I have an appliance that I've configured to send logs to syslog, but it is sending to a file named 2008.log instead of $FULLHOST.log None of the other logs that I am getting contain the year, but for some reason, this one is. Below is a sample of the log itself. Jan 16 15:31:06 2008 [192.168.100.1] Is it possible to ignore the YEAR and make output go to $FULLHOST.log ? Thank you, .vp --- attachment noname 1.txt ---
On Wed, 2008-01-16 at 18:35 -0800, infosec@gmail.com wrote:
From: <wiskbroom@hotmail.com> Subj: [syslog-ng] Date and Host in Syslog Format Need Swapping Date: Wed Jan 16, 2008 12:46 pm Size: 440 bytes To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Hello:
I have an appliance that I've configured to send logs to syslog, but it is sending to a file named 2008.log instead of $FULLHOST.log
None of the other logs that I am getting contain the year, but for some reason, this one is. Below is a sample of the log itself.
Jan 16 15:31:06 2008 [192.168.100.1]
Is it possible to ignore the YEAR and make output go to $FULLHOST.log ?
Thank you,
at least syslog-ng 2.0.7 can process timestamps like this. It was integrated as "LinkSys" style timestamps. -- Bazsi
Baz; Thank you, I hadn't a good reason, until now, to upgrade. I will try that and see. All the best, .vp
From: bazsi@balabit.hu To: syslog-ng@lists.balabit.hu Date: Thu, 17 Jan 2008 10:23:34 +0100 Subject: Re: [syslog-ng] Date and Host in Syslog Format Need Swapping
On Wed, 2008-01-16 at 18:35 -0800, infosec@gmail.com wrote:
From: <wiskbroom@hotmail.com> Subj: [syslog-ng] Date and Host in Syslog Format Need Swapping Date: Wed Jan 16, 2008 12:46 pm Size: 440 bytes To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Hello:
I have an appliance that I've configured to send logs to syslog, but it is sending to a file named 2008.log instead of $FULLHOST.log
None of the other logs that I am getting contain the year, but for some reason, this one is. Below is a sample of the log itself.
Jan 16 15:31:06 2008 [192.168.100.1]
Is it possible to ignore the YEAR and make output go to $FULLHOST.log ?
Thank you,
at least syslog-ng 2.0.7 can process timestamps like this. It was integrated as "LinkSys" style timestamps.
-- Bazsi
Bazsi; I've just compiled eventlog and syslog-ng latest and am unable to find any mention in either sample syslog-ng.conf files, nor in any documentation. How would I go about setting up "LinkSys" style timestamps for a particular host only, leaving others alone, say based on it's IP address? Many thanks, .vp From: wiskbroom@hotmail.com To: syslog-ng@lists.balabit.hu Date: Thu, 17 Jan 2008 07:43:41 -0500 Subject: Re: [syslog-ng] Date and Host in Syslog Format Need Swapping Baz; Thank you, I hadn't a good reason, until now, to upgrade. I will try that and see. All the best, .vp
From: bazsi@balabit.hu To: syslog-ng@lists.balabit.hu Date: Thu, 17 Jan 2008 10:23:34 +0100 Subject: Re: [syslog-ng] Date and Host in Syslog Format Need Swapping
On Wed, 2008-01-16 at 18:35 -0800, infosec@gmail.com wrote:
From: <wiskbroom@hotmail.com> Subj: [syslog-ng] Date and Host in Syslog Format Need Swapping Date: Wed Jan 16, 2008 12:46 pm Size: 440 bytes To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Hello:
I have an appliance that I've configured to send logs to syslog, but it is sending to a file named 2008.log instead of $FULLHOST.log
None of the other logs that I am getting contain the year, but for some reason, this one is. Below is a sample of the log itself.
Jan 16 15:31:06 2008 [192.168.100.1]
Is it possible to ignore the YEAR and make output go to $FULLHOST.log ?
Thank you,
at least syslog-ng 2.0.7 can process timestamps like this. It was integrated as "LinkSys" style timestamps.
-- Bazsi
Hi, Speaking on behalf of Bazsi :)
Bazsi;
I've just compiled eventlog and syslog-ng latest and am unable to find any mention in either sample syslog-ng.conf files, nor in any documentation.
There are sample conffiles and almost the complete documentation in the source tarball...
How would I go about setting up "LinkSys" style timestamps for a particular host only, leaving others alone, say based on it's IP address?
It is unnecessary. Syslog-ng should recognise the date format without any customisation. regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
Sandor; While I appreciate your input, your references to the docs yielded negative hits, as I've mentioned, for anything with the work "LinkSys". My original email stated that the syslog format was receiving data from an appliance which has YEAR where HOSTNAME belongs. Thanks anyway, and I hope someone can assist. .vp
Date: Thu, 17 Jan 2008 14:34:50 +0000 From: Sandor.Geller@morganstanley.com To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] Date and Host in Syslog Format Need Swapping
Hi,
Speaking on behalf of Bazsi :)
Bazsi;
I've just compiled eventlog and syslog-ng latest and am unable to find any mention in either sample syslog-ng.conf files, nor in any documentation.
There are sample conffiles and almost the complete documentation in the source tarball...
How would I go about setting up "LinkSys" style timestamps for a particular host only, leaving others alone, say based on it's IP address?
It is unnecessary. Syslog-ng should recognise the date format without any customisation.
regards,
Sandor --------------------------------------------------------
NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Hi,
Sandor;
While I appreciate your input, your references to the docs yielded negative hits, as I've mentioned, for anything with the work "LinkSys".
There is additional timestamp format parsing code in logmsg.c Also this new feature is mentioned in the NEWS file. Sorry but I still don't understand what other information you're looking for.
My original email stated that the syslog format was receiving data from an appliance which has YEAR where HOSTNAME belongs.
Did you try out syslog-ng 2.0.7? If it fails to recognise the timestamp format your appliance uses then please provide at least a full packet to check what is still missing from the parser. Regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
Hello; I thought that I had all of my hosts setup to log into /var/log/ABCcorp/$FULLHOST/$FULLHOST.log by default if not already defined by another filter, but I am seeing that they log to multiple destinations instead. For instance, I have a host named linksys-1000, logs for this host get sent into: /var/log/ABCcorp/accesspoints/linksys-1000/linksys-1000.log as well as /var/log/ABCcorp/linksys-1000/linksys-1000.log Also, I do not understand how /var/log/ABCcorp/$FULLHOST/$FULLHOST.log gets created and used in the first place, there is no filter setup like this. Thanks all, .vp Here is a sample of my config file: ########### # Destinations # ########## destination D_switch { file("/var/log/ABCcorp/switches/$FULLHOST.log" perm(0644)); }; destination D_edge { file("/var/log/ABCcorp/edge_devices/$FULLHOST.log" perm(0644)); }; destination D_firewall { file("/var/log/ABCcorp/firewalls/$FULLHOST.log" perm(0644)); }; destination D_router { file("/var/log/ABCcorp/routers/$FULLHOST.log" perm(0644)); }; destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log" perm(0644)); }; destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log" perm(0644)); }; destination D_hosts { file("/var/log/ABCcorp/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); }; ####### # Filters # ####### destination D_db_discard { file("/var/log/discard.log"); }; destination D_db_mysql { pipe("/var/log/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes)); filter F_edge { host("edge*") or host("192.116.*"); }; filter F_router { host("gw*") or host("rtr") or host("router"); }; filter F_switch { host("sw*") or host("sw1") or host("sw2"); }; filter F_firewall { host("^fw*"); }; filter F_accesspoints { host("^linksys*"); }; filter F_InternetIP { host("192.116.19.*"); }; ####### # Logs # ####### log { source(S_udp); filter(F_switch); destination(D_switch); }; log { source(S_udp); filter(F_router); destination(D_router); }; log { source(S_udp); filter(F_edge); destination(D_edge); }; log { source(S_udp); filter(F_firewall); destination(D_firewall); }; log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); }; log { source(S_udp); destination(D_udp);}; log { source(S_udp); destination(D_db_mysql); };
You have hostname chaining enabled. In this case, the $FULLHOST macro expands to $HOST/$HOST for most directly logging hosts (no other relay syslogs). Try using a $FULLHOST_FROM or $HOST Evan Rempel wiskbroom@hotmail.com wrote:
Hello;
I thought that I had all of my hosts setup to log into /var/log/ABCcorp/$FULLHOST/$FULLHOST.log by default if not already defined by another filter, but I am seeing that they log to multiple destinations instead.
For instance, I have a host named linksys-1000, logs for this host get sent into:
/var/log/ABCcorp/accesspoints/linksys-1000/linksys-1000.log
as well as
/var/log/ABCcorp/linksys-1000/linksys-1000.log
Also, I do not understand how /var/log/ABCcorp/$FULLHOST/$FULLHOST.log gets created and used in the first place, there is no filter setup like this.
Thanks all,
.vp
Here is a sample of my config file:
########### # Destinations # ##########
destination D_switch { file("/var/log/ABCcorp/switches/$FULLHOST.log" perm(0644)); }; destination D_edge { file("/var/log/ABCcorp/edge_devices/$FULLHOST.log" perm(0644)); }; destination D_firewall { file("/var/log/ABCcorp/firewalls/$FULLHOST.log" perm(0644)); }; destination D_router { file("/var/log/ABCcorp/routers/$FULLHOST.log" perm(0644)); }; destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log" perm(0644)); }; destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log" perm(0644)); };
destination D_hosts { file("/var/log/ABCcorp/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
####### # Filters # #######
destination D_db_discard { file("/var/log/discard.log"); };
destination D_db_mysql { pipe("/var/log/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes));
filter F_edge { host("edge*") or host("192.116.*"); }; filter F_router { host("gw*") or host("rtr") or host("router"); }; filter F_switch { host("sw*") or host("sw1") or host("sw2"); }; filter F_firewall { host("^fw*"); }; filter F_accesspoints { host("^linksys*"); }; filter F_InternetIP { host("192.116.19.*"); };
####### # Logs # #######
log { source(S_udp); filter(F_switch); destination(D_switch); }; log { source(S_udp); filter(F_router); destination(D_router); }; log { source(S_udp); filter(F_edge); destination(D_edge); }; log { source(S_udp); filter(F_firewall); destination(D_firewall); }; log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };
log { source(S_udp); destination(D_udp);}; log { source(S_udp); destination(D_db_mysql); };
------------------------------------------------------------------------
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Thank you Evan, does hostname chaining also force multiple logging? If now, does anyone know why I am logging my data to two locations instead of just one? By the way, any good references to writing a good .conf file for this would be greatly appreciated. Thanks again. .vp
Date: Thu, 17 Jan 2008 14:26:43 -0800 From: erempel@uvic.ca To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???
You have hostname chaining enabled. In this case, the $FULLHOST macro expands to $HOST/$HOST for most directly logging hosts (no other relay syslogs).
Try using a $FULLHOST_FROM or $HOST
Evan Rempel
wiskbroom@hotmail.com wrote:
Hello;
I thought that I had all of my hosts setup to log into /var/log/ABCcorp/$FULLHOST/$FULLHOST.log by default if not already defined by another filter, but I am seeing that they log to multiple destinations instead.
For instance, I have a host named linksys-1000, logs for this host get sent into:
/var/log/ABCcorp/accesspoints/linksys-1000/linksys-1000.log
as well as
/var/log/ABCcorp/linksys-1000/linksys-1000.log
Also, I do not understand how /var/log/ABCcorp/$FULLHOST/$FULLHOST.log gets created and used in the first place, there is no filter setup like this.
Thanks all,
.vp
Here is a sample of my config file:
########### # Destinations # ##########
destination D_switch { file("/var/log/ABCcorp/switches/$FULLHOST.log" perm(0644)); }; destination D_edge { file("/var/log/ABCcorp/edge_devices/$FULLHOST.log" perm(0644)); }; destination D_firewall { file("/var/log/ABCcorp/firewalls/$FULLHOST.log" perm(0644)); }; destination D_router { file("/var/log/ABCcorp/routers/$FULLHOST.log" perm(0644)); }; destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log" perm(0644)); }; destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log" perm(0644)); };
destination D_hosts { file("/var/log/ABCcorp/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
####### # Filters # #######
destination D_db_discard { file("/var/log/discard.log"); };
destination D_db_mysql { pipe("/var/log/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes));
filter F_edge { host("edge*") or host("192.116.*"); }; filter F_router { host("gw*") or host("rtr") or host("router"); }; filter F_switch { host("sw*") or host("sw1") or host("sw2"); }; filter F_firewall { host("^fw*"); }; filter F_accesspoints { host("^linksys*"); }; filter F_InternetIP { host("192.116.19.*"); };
####### # Logs # #######
log { source(S_udp); filter(F_switch); destination(D_switch); }; log { source(S_udp); filter(F_router); destination(D_router); }; log { source(S_udp); filter(F_edge); destination(D_edge); }; log { source(S_udp); filter(F_firewall); destination(D_firewall); }; log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };
log { source(S_udp); destination(D_udp);}; log { source(S_udp); destination(D_db_mysql); };
------------------------------------------------------------------------
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Yikes, spoke too soon, apparently I do not have hostname chaining enabled. options { chain_hostnames(no); create_dirs (yes); dir_perm(0755); use_dns (yes); dns_cache(yes); dns_cache_size(1000); dns_cache_expire(604800); keep_hostname(yes); log_fifo_size(10000); log_msg_size(8192); long_hostnames(on); perm(0644); stats(3600); sync(0); # # Change to 1? # time_reopen (1); time_reopen (10); use_dns(yes); use_fqdn(yes); }; .vp From: wiskbroom@hotmail.com To: syslog-ng@lists.balabit.hu Date: Fri, 18 Jan 2008 08:48:39 -0500 Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter??? Thank you Evan, does hostname chaining also force multiple logging? If now, does anyone know why I am logging my data to two locations instead of just one? By the way, any good references to writing a good .conf file for this would be greatly appreciated. Thanks again. .vp
Date: Thu, 17 Jan 2008 14:26:43 -0800 From: erempel@uvic.ca To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???
You have hostname chaining enabled. In this case, the $FULLHOST macro expands to $HOST/$HOST for most directly logging hosts (no other relay syslogs).
Try using a $FULLHOST_FROM or $HOST
Evan Rempel
wiskbroom@hotmail.com wrote:
Hello;
I thought that I had all of my hosts setup to log into /var/log/ABCcorp/$FULLHOST/$FULLHOST.log by default if not already defined by another filter, but I am seeing that they log to multiple destinations instead.
For instance, I have a host named linksys-1000, logs for this host get sent into:
/var/log/ABCcorp/accesspoints/linksys-1000/linksys-1000.log
as well as
/var/log/ABCcorp/linksys-1000/linksys-1000.log
Also, I do not understand how /var/log/ABCcorp/$FULLHOST/$FULLHOST.log gets created and used in the first place, there is no filter setup like this.
Thanks all,
.vp
Here is a sample of my config file:
########### # Destinations # ##########
destination D_switch { file("/var/log/ABCcorp/switches/$FULLHOST.log" perm(0644)); }; destination D_edge { file("/var/log/ABCcorp/edge_devices/$FULLHOST.log" perm(0644)); }; destination D_firewall { file("/var/log/ABCcorp/firewalls/$FULLHOST.log" perm(0644)); }; destination D_router { file("/var/log/ABCcorp/routers/$FULLHOST.log" perm(0644)); }; destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log" perm(0644)); }; destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log" perm(0644)); };
destination D_hosts { file("/var/log/ABCcorp/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
####### # Filters # #######
destination D_db_discard { file("/var/log/discard.log"); };
destination D_db_mysql { pipe("/var/log/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes));
filter F_edge { host("edge*") or host("192.116.*"); }; filter F_router { host("gw*") or host("rtr") or host("router"); }; filter F_switch { host("sw*") or host("sw1") or host("sw2"); }; filter F_firewall { host("^fw*"); }; filter F_accesspoints { host("^linksys*"); }; filter F_InternetIP { host("192.116.19.*"); };
####### # Logs # #######
log { source(S_udp); filter(F_switch); destination(D_switch); }; log { source(S_udp); filter(F_router); destination(D_router); }; log { source(S_udp); filter(F_edge); destination(D_edge); }; log { source(S_udp); filter(F_firewall); destination(D_firewall); }; log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };
log { source(S_udp); destination(D_udp);}; log { source(S_udp); destination(D_db_mysql); };
------------------------------------------------------------------------
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
/var/log/ABCcorp/linksys-1000/linksys-1000.log
Evan Rempell said:
You have hostname chaining enabled. In this case, the $FULLHOST macro expands to $HOST/$HOST for most directly logging hosts (no other relay syslogs).
Try using a $FULLHOST_FROM or $HOST
Agreed - vp, please try $HOST instead of $FULLHOST in your destinations. ________________________________ From: wiskbroom@hotmail.com To: syslog-ng@lists.balabit.hu Date: Fri, 18 Jan 2008 08:50:48 -0500 Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter??? Yikes, spoke too soon, apparently I do not have hostname chaining enabled. options { chain_hostnames(no); create_dirs (yes); dir_perm(0755); use_dns (yes); dns_cache(yes); dns_cache_size(1000); dns_cache_expire(604800); keep_hostname(yes); log_fifo_size(10000); log_msg_size(8192); long_hostnames(on); perm(0644); stats(3600); sync(0); # # Change to 1? # time_reopen (1); time_reopen (10); use_dns(yes); use_fqdn(yes); }; .vp ________________________________ From: wiskbroom@hotmail.com To: syslog-ng@lists.balabit.hu Date: Fri, 18 Jan 2008 08:48:39 -0500 Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter??? Thank you Evan, does hostname chaining also force multiple logging? If now, does anyone know why I am logging my data to two locations instead of just one? By the way, any good references to writing a good .conf file for this would be greatly appreciated. Thanks again. .vp
Date: Thu, 17 Jan 2008 14:26:43 -0800 From: erempel@uvic.ca To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???
You have hostname chaining enabled. In this case, the $FULLHOST macro expands to $HOST/$HOST for most directly logging hosts (no other relay syslogs).
Try using a $FULLHOST_FROM or $HOST
Evan Rempel
wiskbroom@hotmail.com wrote:
Hello;
I thought that I had all of my hosts setup to log into /var/log/ABCcorp/$FULLHOST/$FULLHOST.log by default if not already defined by another filter, but I am seeing that they log to multiple destinations instead.
For instance, I have a host named linksys-1000, logs for this host get sent into:
/var/log/ABCcorp/accesspoints/linksys-1000/linksys-1000.log
as well as
/var/log/ABCcorp/linksys-1000/linksys-1000.log
Also, I do not understand how /var/log/ABCcorp/$FULLHOST/$FULLHOST.log gets created and used in the first place, there is no filter setup like this.
Thanks all,
.vp
Here is a sample of my config file:
########### # Destinations # ##########
destination D_switch { file("/var/log/ABCcorp/switches/$FULLHOST.log" perm(0644)); }; destination D_edge { file("/var/log/ABCcorp/edge_devices/$FULLHOST.log" perm(0644)); }; destination D_firewall { file("/var/log/ABCcorp/firewalls/$FULLHOST.log" perm(0644)); }; destination D_router { file("/var/log/ABCcorp/routers/$FULLHOST.log" perm(0644)); }; destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log" perm(0644)); }; destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log" perm(0644)); };
destination D_hosts { file("/var/log/ABCcorp/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
####### # Filters # #######
destination D_db_discard { file("/var/log/discard.log"); };
destination D_db_mysql { pipe("/var/log/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes));
filter F_edge { host("edge*") or host("192.116.*"); }; filter F_router { host("gw*") or host("rtr") or host("router"); }; filter F_switch { host("sw*") or host("sw1") or host("sw2"); }; filter F_firewall { host("^fw*"); }; filter F_accesspoints { host("^linksys*"); }; filter F_InternetIP { host("192.116.19.*"); };
####### # Logs # #######
log { source(S_udp); filter(F_switch); destination(D_switch); }; log { source(S_udp); filter(F_router); destination(D_router); }; log { source(S_udp); filter(F_edge); destination(D_edge); }; log { source(S_udp); filter(F_firewall); destination(D_firewall); }; log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };
log { source(S_udp); destination(D_udp);}; log { source(S_udp); destination(D_db_mysql); };
------------------------------------------------------------------------
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_________________________________________________________________ Windows Vista + Windows Live. Open up your digital life. Get Windows Live free. http://get.live.com
log { source(S_udp); filter(F_switch); destination(D_switch); }; log { source(S_udp); filter(F_router); destination(D_router); }; log { source(S_udp); filter(F_edge); destination(D_edge); }; log { source(S_udp); filter(F_firewall); destination(D_firewall); }; log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };
log { source(S_udp); destination(D_udp);}; log { source(S_udp); destination(D_db_mysql); }; ... does anyone know why I am logging my data to two locations instead of just one?
Incoming messages are sent along *all* log paths that match. Every message that arrives from S_udp will be sent to D_udp and also to D_db_mysql. Some of those messages will also be sent along some of the more specific paths. If you don't want this to happen you can use the "final" keyword on the more specific paths.
I have a host named linksys-1000, logs for this host get sent into:
/var/log/ABCcorp/accesspoints/linksys-1000/linksys-1000.log
as well as
/var/log/ABCcorp/linksys-1000/linksys-1000.log
Here's the reason:
destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log" perm(0644)); }; destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log" perm(0644)); };
log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); }; log { source(S_udp); destination(D_udp);};
udp messages from linksys-1000 will be sent along both of these paths because they match both. Joe. ________________________________ From: wiskbroom@hotmail.com To: syslog-ng@lists.balabit.hu Date: Fri, 18 Jan 2008 08:48:39 -0500 Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter??? Thank you Evan, does hostname chaining also force multiple logging? If now, does anyone know why I am logging my data to two locations instead of just one? By the way, any good references to writing a good .conf file for this would be greatly appreciated. Thanks again. .vp
Date: Thu, 17 Jan 2008 14:26:43 -0800 From: erempel@uvic.ca To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???
You have hostname chaining enabled. In this case, the $FULLHOST macro expands to $HOST/$HOST for most directly logging hosts (no other relay syslogs).
Try using a $FULLHOST_FROM or $HOST
Evan Rempel
wiskbroom@hotmail.com wrote:
Hello;
I thought that I had all of my hosts setup to log into /var/log/ABCcorp/$FULLHOST/$FULLHOST.log by default if not already defined by another filter, but I am seeing that they log to multiple destinations instead.
For instance, I have a host named linksys-1000, logs for this host get sent into:
/var/log/ABCcorp/accesspoints/linksys-1000/linksys-1000.log
as well as
/var/log/ABCcorp/linksys-1000/linksys-1000.log
Also, I do not understand how /var/log/ABCcorp/$FULLHOST/$FULLHOST.log gets created and used in the first place, there is no filter setup like this.
Thanks all,
.vp
Here is a sample of my config file:
########### # Destinations # ##########
destination D_switch { file("/var/log/ABCcorp/switches/$FULLHOST.log" perm(0644)); }; destination D_edge { file("/var/log/ABCcorp/edge_devices/$FULLHOST.log" perm(0644)); }; destination D_firewall { file("/var/log/ABCcorp/firewalls/$FULLHOST.log" perm(0644)); }; destination D_router { file("/var/log/ABCcorp/routers/$FULLHOST.log" perm(0644)); }; destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log" perm(0644)); }; destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log" perm(0644)); };
destination D_hosts { file("/var/log/ABCcorp/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
####### # Filters # #######
destination D_db_discard { file("/var/log/discard.log"); };
destination D_db_mysql { pipe("/var/log/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes));
filter F_edge { host("edge*") or host("192.116.*"); }; filter F_router { host("gw*") or host("rtr") or host("router"); }; filter F_switch { host("sw*") or host("sw1") or host("sw2"); }; filter F_firewall { host("^fw*"); }; filter F_accesspoints { host("^linksys*"); }; filter F_InternetIP { host("192.116.19.*"); };
####### # Logs # #######
log { source(S_udp); filter(F_switch); destination(D_switch); }; log { source(S_udp); filter(F_router); destination(D_router); }; log { source(S_udp); filter(F_edge); destination(D_edge); }; log { source(S_udp); filter(F_firewall); destination(D_firewall); }; log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };
log { source(S_udp); destination(D_udp);}; log { source(S_udp); destination(D_db_mysql); };
------------------------------------------------------------------------
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_________________________________________________________________ Get 30 Free Emoticons for your Windows Live Messenger http://www.livemessenger-emoticons.com/en-ie
Ah! So, if I want to log to my database, as well as just *one* other flat file location, then I should place my destination for DB first, followed by the others for flat files, each with it's own 'final' statement? destination D_db_mysql {pipe("/var/log/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes)); destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log" perm(0644)); final }; destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log" perm(0644)); final }; Is this the correct location for final? Thanks again, .vp
From: joe_fegan@hotmail.com To: syslog-ng@lists.balabit.hu Date: Fri, 18 Jan 2008 14:20:49 +0000 Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???
log { source(S_udp); filter(F_switch); destination(D_switch); }; log { source(S_udp); filter(F_router); destination(D_router); }; log { source(S_udp); filter(F_edge); destination(D_edge); }; log { source(S_udp); filter(F_firewall); destination(D_firewall); }; log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };
log { source(S_udp); destination(D_udp);}; log { source(S_udp); destination(D_db_mysql); }; ... does anyone know why I am logging my data to two locations instead of just one?
Incoming messages are sent along *all* log paths that match. Every message that arrives from S_udp will be sent to D_udp and also to D_db_mysql. Some of those messages will also be sent along some of the more specific paths. If you don't want this to happen you can use the "final" keyword on the more specific paths.
I have a host named linksys-1000, logs for this host get sent into:
/var/log/ABCcorp/accesspoints/linksys-1000/linksys-1000.log
as well as
/var/log/ABCcorp/linksys-1000/linksys-1000.log
Here's the reason:
destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log" perm(0644)); }; destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log" perm(0644)); };
log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); }; log { source(S_udp); destination(D_udp);};
udp messages from linksys-1000 will be sent along both of these paths because they match both.
Joe.
________________________________
From: wiskbroom@hotmail.com To: syslog-ng@lists.balabit.hu Date: Fri, 18 Jan 2008 08:48:39 -0500 Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???
Thank you Evan, does hostname chaining also force multiple logging? If now, does anyone know why I am logging my data to two locations instead of just one?
By the way, any good references to writing a good .conf file for this would be greatly appreciated.
Thanks again.
.vp
Date: Thu, 17 Jan 2008 14:26:43 -0800 From: erempel@uvic.ca To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???
You have hostname chaining enabled. In this case, the $FULLHOST macro expands to $HOST/$HOST for most directly logging hosts (no other relay syslogs).
Try using a $FULLHOST_FROM or $HOST
Evan Rempel
wiskbroom@hotmail.com wrote:
Hello;
I thought that I had all of my hosts setup to log into /var/log/ABCcorp/$FULLHOST/$FULLHOST.log by default if not already defined by another filter, but I am seeing that they log to multiple destinations instead.
For instance, I have a host named linksys-1000, logs for this host get sent into:
/var/log/ABCcorp/accesspoints/linksys-1000/linksys-1000.log
as well as
/var/log/ABCcorp/linksys-1000/linksys-1000.log
Also, I do not understand how /var/log/ABCcorp/$FULLHOST/$FULLHOST.log gets created and used in the first place, there is no filter setup like this.
Thanks all,
.vp
Here is a sample of my config file:
########### # Destinations # ##########
destination D_switch { file("/var/log/ABCcorp/switches/$FULLHOST.log" perm(0644)); }; destination D_edge { file("/var/log/ABCcorp/edge_devices/$FULLHOST.log" perm(0644)); }; destination D_firewall { file("/var/log/ABCcorp/firewalls/$FULLHOST.log" perm(0644)); }; destination D_router { file("/var/log/ABCcorp/routers/$FULLHOST.log" perm(0644)); }; destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log" perm(0644)); }; destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log" perm(0644)); };
destination D_hosts { file("/var/log/ABCcorp/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
####### # Filters # #######
destination D_db_discard { file("/var/log/discard.log"); };
destination D_db_mysql { pipe("/var/log/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes));
filter F_edge { host("edge*") or host("192.116.*"); }; filter F_router { host("gw*") or host("rtr") or host("router"); }; filter F_switch { host("sw*") or host("sw1") or host("sw2"); }; filter F_firewall { host("^fw*"); }; filter F_accesspoints { host("^linksys*"); }; filter F_InternetIP { host("192.116.19.*"); };
####### # Logs # #######
log { source(S_udp); filter(F_switch); destination(D_switch); }; log { source(S_udp); filter(F_router); destination(D_router); }; log { source(S_udp); filter(F_edge); destination(D_edge); }; log { source(S_udp); filter(F_firewall); destination(D_firewall); }; log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };
log { source(S_udp); destination(D_udp);}; log { source(S_udp); destination(D_db_mysql); };
------------------------------------------------------------------------
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_________________________________________________________________ Get 30 Free Emoticons for your Windows Live Messenger http://www.livemessenger-emoticons.com/en-ie _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
No, "final" goes into the "log" statement. It means "if you decide to follow this path then don't bother evaluating any others". In principle you have the right idea though; put the "always" paths first then the optional ones. It will probably perform slightly better if you put the options most likely to be chosen higher in the list.
I want to log to my database, as well as just *one* other flat file location
Try this ordering: log { source(S_udp); destination(D_db_mysql); }; log { source(S_udp); filter(F_switch); destination(D_switch); flags(final); }; log { source(S_udp); filter(F_router); destination(D_router); flags(final); }; log { source(S_udp); filter(F_edge); destination(D_edge); flags(final); }; log { source(S_udp); filter(F_firewall); destination(D_firewall); flags(final); }; log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); flags(final); }; log { source(S_udp); destination(D_udp);}; D_udp will get only messages that didn't match one of the more specific filters. I think this was your intention. If you want D_udp to get all messages then move it up to the top with D_db_mysql. ________________________________ From: wiskbroom@hotmail.com To: syslog-ng@lists.balabit.hu Date: Fri, 18 Jan 2008 11:37:50 -0500 Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter??? Ah! So, if I want to log to my database, as well as just *one* other flat file location, then I should place my destination for DB first, followed by the others for flat files, each with it's own 'final' statement? destination D_db_mysql {pipe("/var/log/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes)); destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log" perm(0644)); final }; destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log" perm(0644)); final }; Is this the correct location for final? Thanks again, .vp
From: joe_fegan@hotmail.com To: syslog-ng@lists.balabit.hu Date: Fri, 18 Jan 2008 14:20:49 +0000 Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???
log { source(S_udp); filter(F_switch); destination(D_switch); }; log { source(S_udp); filter(F_router); destination(D_router); }; log { source(S_udp); filter(F_edge); destination(D_edge); }; log { source(S_udp); filter(F_firewall); destination(D_firewall); }; log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };
log { source(S_udp); destination(D_udp);}; log { source(S_udp); destination(D_db_mysql); }; ... does anyone know why I am logging my data to two locations instead of just one?
Incoming messages are sent along *all* log paths that match. Every message that arrives from S_udp will be sent to D_udp and also to D_db_mysql. Some of those messages will also be sent along some of the more specific paths. If you don't want this to happen you can use the "final" keyword on the more specific paths.
I have a host named linksys-1000, logs for this host get sent into:
/var/log/ABCcorp/accesspoints/linksys-1000/linksys-1000.log
as well as
/var/log/ABCcorp/linksys-1000/linksys-1000.log
Here's the reason:
destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log" perm(0644)); }; destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log" perm(0644)); };
log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); }; log { source(S_udp); destination(D_udp);};
udp messages from linksys-1000 will be sent along both of these paths because they match both.
Joe.
________________________________
From: wiskbroom@hotmail.com To: syslog-ng@lists.balabit.hu Date: Fri, 18 Jan 2008 08:48:39 -0500 Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???
Thank you Evan, does hostname chaining also force multiple logging? If now, does anyone know why I am logging my data to two locations instead of just one?
By the way, any good references to writing a good .conf file for this would be greatly appreciated.
Thanks again.
.vp
Date: Thu, 17 Jan 2008 14:26:43 -0800 From: erempel@uvic.ca To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???
You have hostname chaining enabled. In this case, the $FULLHOST macro expands to $HOST/$HOST for most directly logging hosts (no other relay syslogs).
Try using a $FULLHOST_FROM or $HOST
Evan Rempel
wiskbroom@hotmail.com wrote:
Hello;
I thought that I had all of my hosts setup to log into /var/log/ABCcorp/$FULLHOST/$FULLHOST.log by default if not already defined by another filter, but I am seeing that they log to multiple destinations instead.
For instance, I have a host named linksys-1000, logs for this host get sent into:
/var/log/ABCcorp/accesspoints/linksys-1000/linksys-1000.log
as well as
/var/log/ABCcorp/linksys-1000/linksys-1000.log
Also, I do not understand how /var/log/ABCcorp/$FULLHOST/$FULLHOST.log gets created and used in the first place, there is no filter setup like this.
Thanks all,
.vp
Here is a sample of my config file:
########### # Destinations # ##########
destination D_switch { file("/var/log/ABCcorp/switches/$FULLHOST.log" perm(0644)); }; destination D_edge { file("/var/log/ABCcorp/edge_devices/$FULLHOST.log" perm(0644)); }; destination D_firewall { file("/var/log/ABCcorp/firewalls/$FULLHOST.log" perm(0644)); }; destination D_router { file("/var/log/ABCcorp/routers/$FULLHOST.log" perm(0644)); }; destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log" perm(0644)); }; destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log" perm(0644)); };
destination D_hosts { file("/var/log/ABCcorp/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
####### # Filters # #######
destination D_db_discard { file("/var/log/discard.log"); };
destination D_db_mysql { pipe("/var/log/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes));
filter F_edge { host("edge*") or host("192.116.*"); }; filter F_router { host("gw*") or host("rtr") or host("router"); }; filter F_switch { host("sw*") or host("sw1") or host("sw2"); }; filter F_firewall { host("^fw*"); }; filter F_accesspoints { host("^linksys*"); }; filter F_InternetIP { host("192.116.19.*"); };
####### # Logs # #######
log { source(S_udp); filter(F_switch); destination(D_switch); }; log { source(S_udp); filter(F_router); destination(D_router); }; log { source(S_udp); filter(F_edge); destination(D_edge); }; log { source(S_udp); filter(F_firewall); destination(D_firewall); }; log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };
log { source(S_udp); destination(D_udp);}; log { source(S_udp); destination(D_db_mysql); };
------------------------------------------------------------------------
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_________________________________________________________________ Get 30 Free Emoticons for your Windows Live Messenger http://www.livemessenger-emoticons.com/en-ie _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_________________________________________________________________ Get 30 Free Emoticons for your Windows Live Messenger http://www.livemessenger-emoticons.com/en-ie
participants (6)
-
Balazs Scheidler
-
Evan Rempel
-
Geller, Sandor (IT)
-
infosec@gmail.com
-
Joe Fegan
-
wiskbroom@hotmail.com