weird "program name:" shortening to just "name:"
Hi, I've just noticed something very odd in syslog-ng. It shortens the program name without my consent. When I try something like this: logger -t 'Oracle Test Version' testing I get in the logs: Jul 3 10:37:08 hostname Version: testing so it has reduced 'Oracle Test Version' to just 'Version' without my permission... I've done this same test on another server using the classic version of syslog and it works as expected: Jul 3 10:49:06 hostname2 Oracle Test Version: testing I have verified this looks broken across 2 syslog-ng servers and my workstation, but I have no idea why. Does syslog-ng have some specific reason for mangling this? Is there a workaround? (other than just changing to Oracle_Test_Version which I have verified works since it's one word) -h -- Hari Sekhon
Hi,
Hi,
I've just noticed something very odd in syslog-ng. It shortens the program name without my consent.
This might be fixed by patching syslog-ng, but you should be aware that syslog isn't about writing random strings to logs. If you're violating the RFC (and you definitely do here), then expect troubles. period. syslogd is quite dumb, it simply logs what it gets. If you want syslog-ng to do the same then either use the no-parse option and/or use $MSG in a template. Regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
On Thu, 2008-07-03 at 10:53 +0100, Hari Sekhon wrote:
Hi,
I've just noticed something very odd in syslog-ng. It shortens the program name without my consent.
When I try something like this:
logger -t 'Oracle Test Version' testing
I get in the logs:
Jul 3 10:37:08 hostname Version: testing
so it has reduced 'Oracle Test Version' to just 'Version' without my permission...
I've done this same test on another server using the classic version of syslog and it works as expected:
Jul 3 10:49:06 hostname2 Oracle Test Version: testing
I have verified this looks broken across 2 syslog-ng servers and my workstation, but I have no idea why. Does syslog-ng have some specific reason for mangling this? Is there a workaround? (other than just changing to Oracle_Test_Version which I have verified works since it's one word)
the grammar of the syslog line format is ambigious. if you have a space in your application name it is not possible to determine which is the hostname and which is the application name. This is a full log message: Jul 3 10:49:06 hostname2 Oracle: testing However some syslogds omit the 'hostname2' part, when it becomes: Jul 3 10:49:06 Oracle: testing This has to be properly recognized. However given your example of adding a space: Jul 3 10:49:06 Oracle Test: testing This might be interpreted two ways: * a message which came from a host named 'Oracle' and an application called 'Test' * a message which came from a syslogd which did not supply the hostname, the application called 'Oracle Test' For this very reason syslog-ng supports a regexp called as "bad_hostnames()". If you specify a regexp that matches known applications that put space in their name, syslog-ng will properly recognize the application. E.g. specify bad_hostnames("^Oracle") in your global options. -- Bazsi
participants (3)
-
Balazs Scheidler
-
Geller, Sandor (IT)
-
Hari Sekhon