Syslog-ng options bad_hostname & check_hostname
Hi, Anybody used the syslog-ng options bad_hostname & check_hostname? How does that works? I have syslog-ng listening on UDP, and found that there are some gibberish logs in the folder. Was thinking if using the above two options would help reduce the gibberish. Yours Sincerely, Delon
If those options match in the hostname field, syslog-ng will assume it didn't get a hostname, and shifts that value to the start of the message field, so they will be parsed into PROGRAM. alternatively you can use the no-parse flag, fix the value and apply a syslog-parser() later. On Mon, May 6, 2019, 03:21 Delon Lee Di Lun <lee.delon2005@gmail.com wrote:
Hi,
Anybody used the syslog-ng options bad_hostname & check_hostname?
How does that works?
I have syslog-ng listening on UDP, and found that there are some gibberish logs in the folder. Was thinking if using the above two options would help reduce the gibberish.
Yours Sincerely, Delon
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, you referring to bad_hostname or check_hostname? On Mon, 6 May 2019 at 15:45, Scheidler, Balázs < balazs.scheidler@oneidentity.com> wrote:
If those options match in the hostname field, syslog-ng will assume it didn't get a hostname, and shifts that value to the start of the message field, so they will be parsed into PROGRAM.
alternatively you can use the no-parse flag, fix the value and apply a syslog-parser() later.
On Mon, May 6, 2019, 03:21 Delon Lee Di Lun <lee.delon2005@gmail.com wrote:
Hi,
Anybody used the syslog-ng options bad_hostname & check_hostname?
How does that works?
I have syslog-ng listening on UDP, and found that there are some gibberish logs in the folder. Was thinking if using the above two options would help reduce the gibberish.
Yours Sincerely, Delon
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, I was wondering what would happen when the log received hostname matches the bad-hostname and check-hostname options. Its not written in the documentation clearly. My use case was, i have syslog running on my server that is receiving logs from multiple servers. I have all of them into a central folder. A pesudo config I am using would be: source s_udp { network(ip("1.1.1.1") transport("udp") port(514)); }; destination d_servers { file("/mnt/logs/$HOST/$YEAR-$MONTH-$DAY.log"); }; log { source(s_udp); destination(d_servers); }; However, with this config i received weird stuff in the /mnt/logs folder. [image: image.png] I was thinking if using both check-hostname and bad-hostname would help reduce such stuffs. Yours Sincerely, Delon On Mon, 6 May 2019 at 16:25, Delon Lee Di Lun <lee.delon2005@gmail.com> wrote:
Hi, you referring to bad_hostname or check_hostname?
On Mon, 6 May 2019 at 15:45, Scheidler, Balázs < balazs.scheidler@oneidentity.com> wrote:
If those options match in the hostname field, syslog-ng will assume it didn't get a hostname, and shifts that value to the start of the message field, so they will be parsed into PROGRAM.
alternatively you can use the no-parse flag, fix the value and apply a syslog-parser() later.
On Mon, May 6, 2019, 03:21 Delon Lee Di Lun <lee.delon2005@gmail.com wrote:
Hi,
Anybody used the syslog-ng options bad_hostname & check_hostname?
How does that works?
I have syslog-ng listening on UDP, and found that there are some gibberish logs in the folder. Was thinking if using the above two options would help reduce the gibberish.
Yours Sincerely, Delon
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On Mon, May 6, 2019, 10:25 Delon Lee Di Lun <lee.delon2005@gmail.com wrote:
Hi, you referring to bad_hostname or check_hostname?
Both. They result in the same action, just decide whether the hostname it's considered bad differently. check-hostname uses a hardcoded set of characters, bad-hostname uses a regular expression.
On Mon, 6 May 2019 at 15:45, Scheidler, Balázs < balazs.scheidler@oneidentity.com> wrote:
If those options match in the hostname field, syslog-ng will assume it didn't get a hostname, and shifts that value to the start of the message field, so they will be parsed into PROGRAM.
alternatively you can use the no-parse flag, fix the value and apply a syslog-parser() later.
On Mon, May 6, 2019, 03:21 Delon Lee Di Lun <lee.delon2005@gmail.com wrote:
Hi,
Anybody used the syslog-ng options bad_hostname & check_hostname?
How does that works?
I have syslog-ng listening on UDP, and found that there are some gibberish logs in the folder. Was thinking if using the above two options would help reduce the gibberish.
Yours Sincerely, Delon
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Delon Lee Di Lun
-
Scheidler, Balázs