Issue with syslog-ng and process-names with spaces
Hi there I don't know if this is a bug with syslog-ng-1.6.4 or NTsyslog (which generated the syslog record), but we have a problem with records generated by some NT applications showing up "corrupted" within syslog-ng. Namely it thinks the hostname is the process name. However, looking with a sniffer shows what is really going on: NTSyslog records generally look like: <(facility tag)>May 17 14:22:22 security[success] blah blah and syslog-ng records that as timestamp PTR-record security[success] blah blah However, what if the process name has spaces in it? It looks like <(facility tag)>May 17 14:22:22 trend user alert micro scanmail for microsoft \ exchange[warning]: (msg) syslog-ng records that as timestamp trend user alert micro scanmail... I think syslog-ng is looking at the first word as the process name, and if it doesn't "look like a process name", then it assumes it must be the hostname? Config is: options { use_dns(yes); use_fqdn(yes); dns_cache(no); time_reopen(10); keep_hostname(no); use_time_recvd(yes); log_fifo_size(100); mark(0); stats(0); sync(5); }; Does that sound correct, and is there something I can do to stop it? Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
On Mon, May 17, 2004 at 05:14:49PM +1200, Jason Haar wrote:
I don't know if this is a bug with syslog-ng-1.6.4 or NTsyslog (which generated the syslog record), but we have a problem with records generated by some NT applications showing up "corrupted" within syslog-ng.
Namely it thinks the hostname is the process name.
This is what bad_hostname() is for. Usage: new global option named bad_hostname(), expects a regular expression which should match all bad hostnames: options { bad_hostname("^ctld$"); }; Just for the record, there's no way for syslog-ng to know the difference in advance between a hostname and a fsck'd up process name with a space in it. You have to tell syslog-ng about it. -- Nate If you tell them, they never listen. If they listen, they never learn. If they learn, they never remember. If they remember, they never obey.
2004-05-17, h keltezéssel 07:14-kor Jason Haar ezt írta:
Hi there
I don't know if this is a bug with syslog-ng-1.6.4 or NTsyslog (which generated the syslog record), but we have a problem with records generated by some NT applications showing up "corrupted" within syslog-ng.
Namely it thinks the hostname is the process name.
However, looking with a sniffer shows what is really going on:
NTSyslog records generally look like:
<(facility tag)>May 17 14:22:22 security[success] blah blah
and syslog-ng records that as
timestamp PTR-record security[success] blah blah
However, what if the process name has spaces in it? It looks like
<(facility tag)>May 17 14:22:22 trend user alert micro scanmail for microsoft \ exchange[warning]: (msg)
syslog-ng records that as
timestamp trend user alert micro scanmail...
I think syslog-ng is looking at the first word as the process name, and if it doesn't "look like a process name", then it assumes it must be the hostname?
yes, exactly. when there are two words before the first '[' or ':' it assumes the first is the hostname the second is the program name. The program name may not contain spaces per RFC3164. there's the bad_hostnames() and check_hostname() options, which might help, provided there are no hosts containing the substring 'trend' options { bad_hostnames("^trend$"); }; -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
participants (3)
-
Balazs Scheidler
-
Jason Haar
-
Nate Campi