In order to get around the problem I mentioned earlier with messages being logged to the $HOST (s) "Message" and "last", I altered the sources.c file do_add_source_name subroutine lines from: if (logmsg->host) logmsg->host = c_format("%fS/%fS", logmsg->host, name); to: if (logmsg->host) logmsg->host = c_format("%fS/%fS", name, logmsg->host); After making this change (swapping name and logmsg->host arguments), messages that used to look like: Sep 20 02:08:22 Message/aaaa.bbbb.cornell.edu forwarded from aaaa: sshd[40128]: log: ... Now appear as: Sep 20 02:08:22 aaaa.bbbb.cornell.edu/Message forwarded from aaaa: sshd[40128]: log: ... (To be honest, I think the second format looks better anyway.) I actually changed (simplified) the entire do_add_source_name subroutine chain_hostnames block in accordance with our needs. I'm including below the patch I generated to show how that code now looks. *** sources.c Tue Aug 22 04:44:55 2000 --- sources.c.new Wed Sep 20 06:25:53 2000 *************** *** 198,223 **** name = get_source_hostname(logmsg->saddr, self->use_dns, self->use_fqdn); if (self->chain_hostnames) { ! if (logmsg->flags & LF_LOCAL) { ! /* local */ ! ol_string_free(logmsg->host); ! logmsg->host = c_format("%S@%fS", ! self->name, name); ! } ! else if (!logmsg->host) { ! /* remote && no hostname */ ! logmsg->host = c_format("%S/%fS", name, name); ! } ! else { ! /* everything else, append source hostname */ ! if (logmsg->host) ! logmsg->host = ! c_format("%fS/%fS", ! logmsg->host, name); ! else ! logmsg->host = ! c_format("%fS", name); ! } } else { ol_string_free(logmsg->host); --- 198,208 ---- name = get_source_hostname(logmsg->saddr, self->use_dns, self->use_fqdn); if (self->chain_hostnames) { ! if (logmsg->host) ! logmsg->host = c_format("%fS/%fS", ! name, logmsg->host); ! else ! logmsg->host = c_format("%fS", name); } else { ol_string_free(logmsg->host); --- John A. Parker Senior Programmer/Analyst - AIX Cornell University jap54@cornell.edu 607-255-9356 607-255-8521 (Fax)
On Wed, Sep 20, 2000 at 07:30:07AM -0400, John A. Parker wrote:
Sep 20 02:08:22 aaaa.bbbb.cornell.edu/Message forwarded from aaaa: sshd[40128]: log: ... (To be honest, I think the second format looks better anyway.)
yes. ;-) What happens when you use file("$HOST/$PROGRAM/$YEAR_$MONTH" create_dirs(yes)); with your "fix" ? Will i still get logs from "Message" ? (yes...running AIX. :-/) --
Jernej,
What happens when you use
file("$HOST/$PROGRAM/$YEAR_$MONTH" create_dirs(yes));
with your "fix" ? Will i still get logs from "Message" ? (yes...running AIX. :-/)
I tested this destination under both the original and altered versions of syslog-ng, and could see no difference in the way files were created. However, from both I did see results I would neither expect nor desire. As you can see from the results of a "find ." execution at the root of the directory tree used by syslog-ng for the destination: d_test { file("/logs/test/$HOST/$PROGRAM/$YEAR_$MONTH" create_dirs(yes));}; is: . ./aaaa.bbbb.cornell.edu ./aaaa.bbbb.cornell.edu/At ./aaaa.bbbb.cornell.edu/At/2000_09 ./aaaa.bbbb.cornell.edu/--syslog ./aaaa.bbbb.cornell.edu/--syslog/2000_09 ./cccc.dddd.cornell.edu ./cccc.dddd.cornell.edu/dhcpd ./cccc.dddd.cornell.edu/dhcpd/2000_09 ./eeee.dddd.cornell.edu ./eeee.dddd.cornell.edu/forwarded from eeee ./eeee.dddd.cornell.edu/forwarded from eeee/2000_09 ./ffff.bbbb.cornell.edu ./ffff.bbbb.cornell.edu/--syslog ./ffff.bbbb.cornell.edu/--syslog/2000_09 ./ffff.bbbb.cornell.edu/At ./ffff.bbbb.cornell.edu/At/2000_09 ./gggg.dddd.cornell.edu ./gggg.dddd.cornell.edu/13125 ./gggg.dddd.cornell.edu/13125/2000_09 ./gggg.dddd.cornell.edu/13126 ./gggg.dddd.cornell.edu/13126/2000_09 ./gggg.dddd.cornell.edu/13127 ./gggg.dddd.cornell.edu/13127/2000_09 ./gggg.dddd.cornell.edu/13128 ./gggg.dddd.cornell.edu/13128/2000_09 ./hhhh.iiii.cornell.edu ./hhhh.iiii.cornell.edu/forwarded from hhhh ./hhhh.iiii.cornell.edu/forwarded from hhhh/2000_09 ./jjjj ./jjjj/sudo ./jjjj/sudo/2000_09 ./kkkk.dddd.cornell.edu ./kkkk.dddd.cornell.edu/dhcpd ./kkkk.dddd.cornell.edu/dhcpd/2000_09 ./llll.dddd.cornell.edu ./llll.dddd.cornell.edu/sendmail ./llll.dddd.cornell.edu/sendmail/2000_09 ./mmmm.bbbb.cornell.edu ./mmmm.bbbb.cornell.edu/At ./mmmm.bbbb.cornell.edu/At/2000_09 ./nnnn.dddd.cornell.edu ./nnnn.dddd.cornell.edu/forwarded from nnnn ./nnnn.dddd.cornell.edu/forwarded from nnnn/2000_09 Directories like: "/forwarded from nnnn/" are not good for us. Additionally, I did not see any "Message" directories, but only let the test run for a few minutes. I really don't know for sure whether what I changed might break other functions. I think only Bazsi can make that observation. John --- John A. Parker Senior Programmer/Analyst - AIX Cornell University jap54@cornell.edu 607-255-9356 607-255-8521 (Fax)
Hi,
file("$HOST/$PROGRAM/$YEAR_$MONTH" create_dirs(yes));
with your "fix" ? Will i still get logs from "Message" ? (yes...running AIX. :-/)
I tested this destination under both the original and altered versions of syslog-ng, and could see no difference in the way files were created. However, from both I did see results I would neither expect nor desire. As you can see from the results of a "find ." execution at the root of the directory tree used by syslog-ng for the destination:
d_test { file("/logs/test/$HOST/$PROGRAM/$YEAR_$MONTH" create_dirs(yes));};
is:
. ./aaaa.bbbb.cornell.edu ./aaaa.bbbb.cornell.edu/At ./aaaa.bbbb.cornell.edu/At/2000_09 ./aaaa.bbbb.cornell.edu/--syslog ./aaaa.bbbb.cornell.edu/--syslog/2000_09 ./cccc.dddd.cornell.edu ./cccc.dddd.cornell.edu/dhcpd ./cccc.dddd.cornell.edu/dhcpd/2000_09 ./eeee.dddd.cornell.edu ./eeee.dddd.cornell.edu/forwarded from eeee ./eeee.dddd.cornell.edu/forwarded from eeee/2000_09 ./ffff.bbbb.cornell.edu ./ffff.bbbb.cornell.edu/--syslog ./ffff.bbbb.cornell.edu/--syslog/2000_09 ./ffff.bbbb.cornell.edu/At ./ffff.bbbb.cornell.edu/At/2000_09 ./gggg.dddd.cornell.edu ./gggg.dddd.cornell.edu/13125 ./gggg.dddd.cornell.edu/13125/2000_09 ./gggg.dddd.cornell.edu/13126 ./gggg.dddd.cornell.edu/13126/2000_09 ./gggg.dddd.cornell.edu/13127 ./gggg.dddd.cornell.edu/13127/2000_09 ./gggg.dddd.cornell.edu/13128 ./gggg.dddd.cornell.edu/13128/2000_09 ./hhhh.iiii.cornell.edu ./hhhh.iiii.cornell.edu/forwarded from hhhh ./hhhh.iiii.cornell.edu/forwarded from hhhh/2000_09 ./jjjj ./jjjj/sudo ./jjjj/sudo/2000_09 ./kkkk.dddd.cornell.edu ./kkkk.dddd.cornell.edu/dhcpd ./kkkk.dddd.cornell.edu/dhcpd/2000_09 ./llll.dddd.cornell.edu ./llll.dddd.cornell.edu/sendmail ./llll.dddd.cornell.edu/sendmail/2000_09 ./mmmm.bbbb.cornell.edu ./mmmm.bbbb.cornell.edu/At ./mmmm.bbbb.cornell.edu/At/2000_09 ./nnnn.dddd.cornell.edu ./nnnn.dddd.cornell.edu/forwarded from nnnn ./nnnn.dddd.cornell.edu/forwarded from nnnn/2000_09
Directories like: "/forwarded from nnnn/" are not good for us. Additionally, I did not see any "Message" directories, but only let the test run for a few minutes.
I really don't know for sure whether what I changed might break other functions. I think only Bazsi can make that observation.
The code you changed affects only the hostname part of the loglines written to files. If you intend to change the parsed hostname value you should change msg->host, which is a struct ol_string *. If you intend to change the way syslog-ng parses log messages you may be interested in the parse_log_msg function in log.c. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
Bazsi,
The code you changed affects only the hostname part of the loglines written to files. If you intend to change the parsed hostname value you should change msg->host, which is a struct ol_string *.
If you intend to change the way syslog-ng parses log messages you may be interested in the parse_log_msg function in log.c.
Thanks for your review! I think syslog-ng is a great product and have no need for modification beyond fixing (from my perspective) the way host names are parsed. I would like to clarify that more importantly to me than changing the message that is logged, my alteration changes the value syslog-ng uses when creating a log file (effects the value of $HOST). John --- John A. Parker Senior Programmer/Analyst - AIX Cornell University jap54@cornell.edu 607-255-9356 607-255-8521 (Fax)
participants (3)
-
Balazs Scheidler
-
Jernej Horvat
-
John A. Parker