It seems like there are a LOT of these. Isn't it possible to make some options to handle them? I was thinking of options, but... what about this? Check the hostname of the message against the hostname using DNS and see if they match. If not, shift the message over and put the hostname in - and perhaps label it to show that it was inserted.... So a message from 192.168.3.3 (hostname folly) that contained no hostname but said: "last message repeated 5 times" would then become: Jun-XX XX:XX:XX folly* last message repeated 5 times ...and the log might look like this: Jun-XX XX:XX:XX folly su: access denied Jun-XX XX:XX:XX folly* last message repeated 5 times Jun-XX XX:XX:XX folly --mark-- Well? Only problem I could see is if the hostname in the syslog entry doesn't match the name of the host as a normal event; I don't see this happening. This does, however, generate more DNS traffic, unless you cache the entries - maybe within syslog-ng.
On Tue, Jun 19, 2001 at 02:56:33PM -0500, David Douthitt wrote:
Jun-XX XX:XX:XX folly* last message repeated 5 times
...and the log might look like this:
Jun-XX XX:XX:XX folly su: access denied Jun-XX XX:XX:XX folly* last message repeated 5 times Jun-XX XX:XX:XX folly --mark--
Well?
I like it. I can't recall if this in syslog-ng already, but something I have always want was for syslog-ng not to believe the remote host when it say my hostname is x, and to replace x with the IP address in the packet (not useful for forwarded logs, but thats why its an option). The problem I can see with this is there isn't really a way to tell in, "last message repeated 5 times" that the word "last" is not a hostname (I'm not that intimate with the protocol so I could be wrong). One could simply prepend a hostname to the line (with a delimiter), and this would side step the issue. The down side is you may get messages like: "folly*folly last message repeated 5 times" While typing I recall that 1.5.x has some sort of template functionality, if there is a "remote host IP" macro then you may be able to do this now.
Only problem I could see is if the hostname in the syslog entry doesn't match the name of the host as a normal event; I don't see this happening.
I can see this happening semi frequently in the enviroment, I setup boxes with one name, but the name the rest of the world uses. This is more a product of my laziness than anything else. But I prefer to log IP addresses anyway, so the point is moot (for me atleast :).
This does, however, generate more DNS traffic, unless you cache the entries - maybe within syslog-ng.
Or in the hosts file. Yes, I know you loose flexablity, but you do gain speed, and reliability. ---------------------------------------------------------------------------- __o Bradley Arlt Email: arlt@cpsc.ucalgary.ca o__ _ \<_ WWW: www.acs.ucalgary.ca/~bdarlt _>/ _ (_)/(_) -Eat well, sleep peacefully, drink lots, and ride like hell. (_)\(_)
Brad Arlt wrote:
On Tue, Jun 19, 2001 at 02:56:33PM -0500, David Douthitt wrote:
Jun-XX XX:XX:XX folly* last message repeated 5 times
...and the log might look like this:
Jun-XX XX:XX:XX folly su: access denied Jun-XX XX:XX:XX folly* last message repeated 5 times Jun-XX XX:XX:XX folly --mark--
Well?
The problem I can see with this is there isn't really a way to tell in, "last message repeated 5 times" that the word "last" is not a hostname (I'm not that intimate with the protocol so I could be wrong).
Sure there is - that's my idea. With this change, syslog-ng would see "last", and would look up last.mydomain.local (or whatever) and find out that one of the following is true: 1) last.mydomain.local doesn't exist; 2) last.mydomain.local has a different IP address from the other end of the syslog connection 3) last.mydomain.local does exist and does use that IP address. In your example, #1 or #2 would be true; thus then the line would be prepended with the correct hostname and a flag '*' ...
One could simply prepend a hostname to the line (with a delimiter), and this would side step the issue. The down side is you may get messages like: "folly*folly last message repeated 5 times"
And you would get LOTS of them....
While typing I recall that 1.5.x has some sort of template functionality, if there is a "remote host IP" macro then you may be able to do this now.
Hmmmm.... interesting.
I can see this happening semi frequently in the enviroment, I setup boxes with one name, but the name the rest of the world uses. This is more a product of my laziness than anything else. But I prefer to log IP addresses anyway, so the point is moot (for me atleast :).
That would almost work, except in my environment I use the hostname to split up the different syslogs - so some would be in myhost.mydomain.local, and some would be in 192.168.9.33 ....right?
Or in the hosts file. Yes, I know you loose flexability, but you do gain speed, and reliability.
You gain speed, but NOT reliability. If you change your host's IP address, all the hosts files will be incorrect. That's not reliability. If course, the file will still be there when the DNS server goes down - but that doesn't happen right?
On Tue, Jun 19, 2001 at 02:56:33PM -0500, David Douthitt wrote:
It seems like there are a LOT of these. Isn't it possible to make some options to handle them? I was thinking of options, but... what about this?
you might try to use the chain_hostnames() option. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
Balazs Scheidler wrote:
On Tue, Jun 19, 2001 at 02:56:33PM -0500, David Douthitt wrote:
It seems like there are a LOT of these. Isn't it possible to make some options to handle them? I was thinking of options, but... what about this?
you might try to use the chain_hostnames() option.
I was under the impression that with these log entries: Jun-XX XX:XX:XX folly su: attempted login Jun-XX XX:XX:XX folly pppd: login successful Jun-XX XX:XX:XX folly ---mark--- Jun-XX XX:XX:XX last message repeated 5 times ...the resulting logs with chain_hostnames would be: Jun-XX XX:XX:XX folly folly su: attempted login Jun-XX XX:XX:XX folly folly pppd: login successful Jun-XX XX:XX:XX folly folly ---mark--- Jun-XX XX:XX:XX folly last message repeated 5 times I had a situation where I had to turn chain_hostnames off for this very reason. But that was a syslog-ng installation on a firewall that was relaying syslog entries, so I don't know if this is relevant to your suggestion or not...
participants (3)
-
Balazs Scheidler
-
Brad Arlt
-
David Douthitt