Logging to dirs with $HOST gives me strange results
Hi syslog-ng users, I'm running a central syslog-ng 2.0.6 server with a rather simple ruleset, just to collect copies of the syslogs from a bunch of machines. They are running Solaris 9 and 10, with the onboard syslog, forwarding with syslog.conf "*.alert @logso01". Syslog-NG's logging targets are set up like that: source net { udp(); }; destination messages { file("/logs/$HOST/messages"); }; log { source(net); filter(f_high); destination(messages); }; Options are set to use the /etc/hosts file, and all hosts are listed there. In theory, this should give me one directory for each hosts that's forwarding its log messages. However, in practice, I get quite a lot of useless directories as well, that don't match any real host. root@logso01:/logs>ls \"/ \011Corrupt/ \011PLOGI/ \011SONY_AIT/ \011got/ \011offline/ \011/ \011Error/ \011SCSI/ \011failed/ \011i/ \011transport/ (C) SC admso01-qfs archso03-mgm nrgdev nrgstg jumpso01-qfs testso01 nrgso01 US archso01-mgm archsrv-qfs nrgprod1-qfs epldev logso01 testso02-qfs All Use archso01-xfcu by nrgprod2-qfs for prodso01-mgm IBM Use, archso02-mgm cutapsrv nrgprod3-qfs gconfd stgaoma Licensed Version archso02-xfcu delso01-sn nrgso01-qfs ddpso01-qfs svnso01-mgm It looks like under some condition, syslog-ng doesn't use the source hostname for the $HOST config directrive, but the first word of the log message. Is this a (known?) bug, or is there any way to circumvent that behaviour? Please advise. Yours Markus
The format of the log message is not very definite with BSD syslog, therefore syslog-ng uses some heuristics. If the sending IP address is always accurate, you can ask syslog-ng to use that instead by using keep_hostname(no) On Mon, 2008-04-14 at 11:51 +0200, Markus Strangl wrote:
Hi syslog-ng users,
I'm running a central syslog-ng 2.0.6 server with a rather simple ruleset, just to collect copies of the syslogs from a bunch of machines. They are running Solaris 9 and 10, with the onboard syslog, forwarding with syslog.conf "*.alert @logso01".
Syslog-NG's logging targets are set up like that: source net { udp(); }; destination messages { file("/logs/$HOST/messages"); }; log { source(net); filter(f_high); destination(messages); };
Options are set to use the /etc/hosts file, and all hosts are listed there. In theory, this should give me one directory for each hosts that's forwarding its log messages.
However, in practice, I get quite a lot of useless directories as well, that don't match any real host. root@logso01:/logs>ls \"/ \011Corrupt/ \011PLOGI/ \011SONY_AIT/ \011got/ \011offline/ \011/ \011Error/ \011SCSI/ \011failed/ \011i/ \011transport/ (C) SC admso01-qfs archso03-mgm nrgdev nrgstg jumpso01-qfs testso01 nrgso01 US archso01-mgm archsrv-qfs nrgprod1-qfs epldev logso01 testso02-qfs All Use archso01-xfcu by nrgprod2-qfs for prodso01-mgm IBM Use, archso02-mgm cutapsrv nrgprod3-qfs gconfd stgaoma Licensed Version archso02-xfcu delso01-sn nrgso01-qfs ddpso01-qfs svnso01-mgm
It looks like under some condition, syslog-ng doesn't use the source hostname for the $HOST config directrive, but the first word of the log message. Is this a (known?) bug, or is there any way to circumvent that behaviour? Please advise.
Yours Markus ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Bazsi
participants (2)
-
Balazs Scheidler
-
Markus Strangl