AW: [syslog-ng]syslog-ng blanks in Servicename
On Wed, Apr 30, 2003 at 12:22:34PM +0200, Unger, Christian wrote:
Hi,
i log many informations via NT-Syslog to syslog-ng. Windows 2000 have some services with a blank in the Servicename. ex: NTDS ISAM
the log entry from syslog-ng seams as following: Apr 15 15:42:33 ntds isam[info] 700 NTDS (268) Online defragmentation is beginning a full pass on database 'C:\WINNT\NTDS\ntds.dit'.
NTDS ist NOT my hostname, thats the problem!
I think thats the problem is in RFC. But i don't read it. ( no time :[ )
is there a easy escape? or will the next version of syslog-ng have a escape?
try check_hostname(yes)
---- check_hostnames(yes) doesn't help. I checked some information's with tcpdump. An I found a very interest handling. Syslog-ng is able to handle hostnames in syslog datagram, the delimiter between hostname and service name seams to be a space. So if I have spaces in service name syslog-ng thinks that the first word must be the hostname, but that's wrong. What can I do know?
On Wed, May 07, 2003 at 12:25:28PM +0200, Unger, Christian wrote:
On Wed, Apr 30, 2003 at 12:22:34PM +0200, Unger, Christian wrote:
i log many informations via NT-Syslog to syslog-ng. Windows 2000 have some services with a blank in the Servicename. ex: NTDS ISAM
the log entry from syslog-ng seams as following: Apr 15 15:42:33 ntds isam[info] 700 NTDS (268) Online defragmentation is beginning a full pass on database 'C:\WINNT\NTDS\ntds.dit'.
NTDS ist NOT my hostname, thats the problem!
I think thats the problem is in RFC. But i don't read it. ( no time :[ )
is there a easy escape? or will the next version of syslog-ng have a escape?
try check_hostname(yes)
----
check_hostnames(yes) doesn't help.
I checked some information's with tcpdump. An I found a very interest handling. Syslog-ng is able to handle hostnames in syslog datagram, the delimiter between hostname and service name seams to be a space. So if I have spaces in service name syslog-ng thinks that the first word must be the hostname, but that's wrong. What can I do know?
sorry, check_hostname() is meant for cases when the word seeming to be a hostname contains invalid characters (like '%'). The problem is that there is no way to distinguish between a hostname and a programname containing a space. The workaround I implemented was the bad_hostname() option, which contains a regular expression which covers bad hostnames. E.g. if you have a program that sends messages like: Apr 28 15:13:54 snmp ctld[12345]: message And "snmp ctld" is the program name, then you can use bad_hostname() to make syslog-ng think that "snmp" itself is a bad hostname. (of course this will not work if you really have a host named snmp) options { bad_hostname("snmp"); }; bad_hostname() accepts an extended regular expression so you can list several bad hostnames like this: options { bad_hostname("snmp|iis|foo|bar"); }; -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
participants (2)
-
Balazs Scheidler
-
Unger, Christian