I'm running syslog-ng 3.03 on a RHEL5 system, sending logs to various files like so: # global log files destination deservers { file("/var/log/$HOST.log" owner(root) group(hobbit) perm(0640)); }; It's working fine on the Linux boxes. But I'm using Adiscon's EventLog on my Windows machines, and the $HOST name on them are coming up in all caps. [root@buran log]# ls -la /var/log/*.log ... -rw-r----- 1 root hobbit 282 Nov 4 14:37 /var/log/KANTECH.log -rw-r----- 1 root hobbit 535181 Nov 4 14:24 /var/log/PLCDATA.log Where's this $HOST macro get its data from? The DNS entry is lower case; the full computer name on the Windows box is lower case. I don't see where the upper is coming from, unless it's one of those weird Windows-to-Unix translation things. Not a big deal, but a bit of an annoyance. Thanks for any help. -- Tim Boyer Denman Tire Corporation
On Wed, 2009-11-04 at 15:05 -0500, Tim Boyer wrote:
I'm running syslog-ng 3.03 on a RHEL5 system, sending logs to various files like so:
# global log files destination deservers { file("/var/log/$HOST.log" owner(root) group(hobbit) perm(0640)); };
It's working fine on the Linux boxes. But I'm using Adiscon's EventLog on my Windows machines, and the $HOST name on them are coming up in all caps.
[root@buran log]# ls -la /var/log/*.log
... -rw-r----- 1 root hobbit 282 Nov 4 14:37 /var/log/KANTECH.log -rw-r----- 1 root hobbit 535181 Nov 4 14:24 /var/log/PLCDATA.log
Where's this $HOST macro get its data from? The DNS entry is lower case; the full computer name on the Windows box is lower case. I don't see where the upper is coming from, unless it's one of those weird Windows-to-Unix translation things.
Not a big deal, but a bit of an annoyance. Thanks for any help.
I guess the client is sending the hostname in all caps, you can confirm it with tcpdump. You can force lowercase hostnames using the option: normalize-hostnames(yes) -- Bazsi
Balazs Scheidler wrote:
On Wed, 2009-11-04 at 15:05 -0500, Tim Boyer wrote:
I'm running syslog-ng 3.03 on a RHEL5 system, sending logs to various files like so:
# global log files destination deservers { file("/var/log/$HOST.log" owner(root) group(hobbit) perm(0640)); };
It's working fine on the Linux boxes. But I'm using Adiscon's EventLog on my Windows machines, and the $HOST name on them are coming up in all caps.
[root@buran log]# ls -la /var/log/*.log
... -rw-r----- 1 root hobbit 282 Nov 4 14:37 /var/log/KANTECH.log -rw-r----- 1 root hobbit 535181 Nov 4 14:24 /var/log/PLCDATA.log
Where's this $HOST macro get its data from? The DNS entry is lower case; the full computer name on the Windows box is lower case. I don't see where the upper is coming from, unless it's one of those weird Windows-to-Unix translation things.
Not a big deal, but a bit of an annoyance. Thanks for any help.
I guess the client is sending the hostname in all caps, you can confirm it with tcpdump.
You can force lowercase hostnames using the option:
normalize-hostnames(yes)
That did it. Perfect - thanks much! -- -- tim -- Tim Boyer Denman Tire Corporation
Will that rename them on service reload or will it start a fresh folder with hostname? -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Tim Boyer Sent: Thursday, November 05, 2009 2:42 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Upper case $HOST Balazs Scheidler wrote:
On Wed, 2009-11-04 at 15:05 -0500, Tim Boyer wrote:
I'm running syslog-ng 3.03 on a RHEL5 system, sending logs to various files like so:
# global log files destination deservers { file("/var/log/$HOST.log" owner(root) group(hobbit) perm(0640)); };
It's working fine on the Linux boxes. But I'm using Adiscon's EventLog on my Windows machines, and the $HOST name on them are coming up in all caps.
[root@buran log]# ls -la /var/log/*.log
... -rw-r----- 1 root hobbit 282 Nov 4 14:37 /var/log/KANTECH.log -rw-r----- 1 root hobbit 535181 Nov 4 14:24 /var/log/PLCDATA.log
Where's this $HOST macro get its data from? The DNS entry is lower case; the full computer name on the Windows box is lower case. I don't see where the upper is coming from, unless it's one of those weird Windows-to-Unix translation things.
Not a big deal, but a bit of an annoyance. Thanks for any help.
I guess the client is sending the hostname in all caps, you can confirm it with tcpdump.
You can force lowercase hostnames using the option:
normalize-hostnames(yes)
That did it. Perfect - thanks much! -- -- tim -- Tim Boyer Denman Tire Corporation ________________________________________________________________________ ______ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Since you're adding a configuration option to syslog-ng.conf, you'll need to reload the process. After you reload/restart, fresh directories will be created. If I were you though, i would stop the syslog-ng process, do a for loop to rename all CAPITAL-HOSTNAME files/folders to lower-case, and then start syslog-ng again so that it will resume logging to files where it left off. On Thu, Nov 5, 2009 at 5:39 PM, Adam Harvey <adam@smithandtinker.com> wrote:
Will that rename them on service reload or will it start a fresh folder with hostname?
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Tim Boyer Sent: Thursday, November 05, 2009 2:42 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Upper case $HOST
Balazs Scheidler wrote:
On Wed, 2009-11-04 at 15:05 -0500, Tim Boyer wrote:
I'm running syslog-ng 3.03 on a RHEL5 system, sending logs to various files like so:
# global log files destination deservers { file("/var/log/$HOST.log" owner(root) group(hobbit) perm(0640)); };
It's working fine on the Linux boxes. But I'm using Adiscon's EventLog on my Windows machines, and the $HOST name on them are coming up in all caps.
[root@buran log]# ls -la /var/log/*.log
... -rw-r----- 1 root hobbit 282 Nov 4 14:37 /var/log/KANTECH.log -rw-r----- 1 root hobbit 535181 Nov 4 14:24 /var/log/PLCDATA.log
Where's this $HOST macro get its data from? The DNS entry is lower case; the full computer name on the Windows box is lower case. I don't see where the upper is coming from, unless it's one of those weird Windows-to-Unix translation things.
Not a big deal, but a bit of an annoyance. Thanks for any help.
I guess the client is sending the hostname in all caps, you can confirm it with tcpdump.
You can force lowercase hostnames using the option:
normalize-hostnames(yes)
That did it. Perfect - thanks much!
-- -- tim --
Tim Boyer Denman Tire Corporation ________________________________________________________________________ ______ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
-- Lance Laursen Demonware Systems Engineer 1-604-689-4594 x3702
Balazs Scheidler wrote:
On Wed, 2009-11-04 at 15:05 -0500, Tim Boyer wrote:
I'm running syslog-ng 3.03 on a RHEL5 system, sending logs to various files like so:
# global log files destination deservers { file("/var/log/$HOST.log" owner(root) group(hobbit) perm(0640)); };
It's working fine on the Linux boxes. But I'm using Adiscon's EventLog on my Windows machines, and the $HOST name on them are coming up in all caps.
[root@buran log]# ls -la /var/log/*.log
... -rw-r----- 1 root hobbit 282 Nov 4 14:37 /var/log/KANTECH.log -rw-r----- 1 root hobbit 535181 Nov 4 14:24 /var/log/PLCDATA.log
Where's this $HOST macro get its data from? The DNS entry is lower case; the full computer name on the Windows box is lower case. I don't see where the upper is coming from, unless it's one of those weird Windows-to-Unix translation things.
Not a big deal, but a bit of an annoyance. Thanks for any help.
I guess the client is sending the hostname in all caps, you can confirm it with tcpdump.
You can force lowercase hostnames using the option:
normalize-hostnames(yes)
Balazs - Looks like I spoke too soon. Something odd is happening. I put the option into the conf file: @version: 3.0 # # global options # options { normalize_hostnames(yes); use_fqdn(no); use_dns(yes); dns_cache(yes); keep_hostname(yes); long_hostnames(off); create_dirs(yes); } and restarted last night. I deleted all of the upper-case log files. One worked - I've got this file: -rw-r----- 1 root hobbit 4048 Nov 6 06:13 plcdata.log but I've also got this from the same machine: -rw-r----- 1 root hobbit 4395 Nov 6 06:51 PLCDATA.log and this one hasn't changed at all: -rw-r----- 1 root hobbit 36847 Nov 6 06:56 Antivirus-2008.log -- -- tim -- Tim Boyer Denman Tire Corporation
Hi, Tim Boyer írta:
Balazs Scheidler wrote:
On Wed, 2009-11-04 at 15:05 -0500, Tim Boyer wrote:
I'm running syslog-ng 3.03 on a RHEL5 system, sending logs to various files like so:
# global log files destination deservers { file("/var/log/$HOST.log" owner(root) group(hobbit) perm(0640)); };
It's working fine on the Linux boxes. But I'm using Adiscon's EventLog on my Windows machines, and the $HOST name on them are coming up in all caps.
[root@buran log]# ls -la /var/log/*.log
... -rw-r----- 1 root hobbit 282 Nov 4 14:37 /var/log/KANTECH.log -rw-r----- 1 root hobbit 535181 Nov 4 14:24 /var/log/PLCDATA.log
Where's this $HOST macro get its data from? The DNS entry is lower case; the full computer name on the Windows box is lower case. I don't see where the upper is coming from, unless it's one of those weird Windows-to-Unix translation things.
Not a big deal, but a bit of an annoyance. Thanks for any help.
I guess the client is sending the hostname in all caps, you can confirm it with tcpdump.
You can force lowercase hostnames using the option:
normalize-hostnames(yes)
Balazs -
Looks like I spoke too soon. Something odd is happening.
I put the option into the conf file:
@version: 3.0 # # global options #
options { normalize_hostnames(yes); use_fqdn(no); use_dns(yes); dns_cache(yes); keep_hostname(yes); long_hostnames(off); create_dirs(yes); }
You should not use "keep_hostname" in the part of global options because this one will block rewriting of the hostname (see syslog-ng admin guide: http://www.balabit.hu/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s09.htm...). If you need it really use this option in every source where you need it
and restarted last night. I deleted all of the upper-case log files.
One worked - I've got this file:
-rw-r----- 1 root hobbit 4048 Nov 6 06:13 plcdata.log
but I've also got this from the same machine:
-rw-r----- 1 root hobbit 4395 Nov 6 06:51 PLCDATA.log
and this one hasn't changed at all:
-rw-r----- 1 root hobbit 36847 Nov 6 06:56 Antivirus-2008.log
participants (5)
-
Adam Harvey
-
Balazs Scheidler
-
Lance Laursen
-
Pallagi Zoltán
-
Tim Boyer