Russell and Steven, There are problems with trying to use macros, as you have found. There is a good bit of detail on this page (part of the FAQ, I believe) http://www.campin.net/syslog-ng/syslog.html. The problem I had was that I started to get strange directory names, like "cd .." and "::". All sorts of garbage. The reason? The Sun syslog service produces non-RFC compliant network packets. The packet is supposed to have the hostname twice, and then the ID field. Syslog-ng can deal with the second host not being there, but if it is missing the square brackets, there is no way for it to figure out where the message begins. So, you can use HOST_FROM and FULLHOST_FROM in your file output. Syslog-ng then logs everything very neatly, which is what the doc says. That's all well and good, but what about your remote hosts that have a forwarder in between? Sun syslog won't work for this anyway (doesn't handle the origin name correctly), so you use syslog-ng. Fine. But now you can't use _FROM macros, since that will be wrong too. What you will need to do is have the remote syslog-ng forwarders sending to the central loghost over a separate port (might as well be TCP). Last, you will need a separate parallel set of rules that use FULLHOST instead of FULLHOST_FROM in the output path when the source is a remote syslog-ng server (which will forward correctly formatted messages). Did I mention timestamps? ;-) -Dave -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Russell Fulton Sent: Thursday, August 24, 2006 4:18 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] FQDN's in syslog-ng There are a several of different options for dealing with host names and I have not managed to sort them all out yet. The single line explanations in the manual are not enough to work out the details. Be aware that the hostname can be set on either the central log server or on the system generating the logs. The default seems to be that the central server will keep the host name that is in the packet, if there is no hostname in the packet it will do a reverse lookup to determine it. We want to override this but have not spent a lot of time fiddling with the options to see what works. What you want to do is possible it just a matter of figuring out which options you need on the client and server. What is bothering us at the moment is that SUN monitoring crap called SRS manages to generate some syslog records with SRS in the hostname field. So on the central server these all turn up in the same file. I really must sort this out today, sigh... I'd be happy to hear from someone who has already sussed out how these options work! Russell Steven Hajducko wrote:

Hi everyone,

We've currently got a syslog setup that centralizes our logs from many of our different teirs into one location, using each system's prebuilt syslog. It works at the moment, but we've got some issues.

Our main one is that we name our hosts the same in different environments, mainly because these environments are for moving code and configs from 1 step to the next, so to make it easier on people so they don't have to change configurations each time the code moves, hosts share similar names.

The problem is that when all the logs come back to the central syslog server, they can't be seperated by host because of the similiarities. So 'web5' in our QA is the same as 'web5' in production.

Because of that, we were looking at syslog-ng and while I found a couple references to using FQDN, I've been unable to tell whether or not this is possible.

Our machines DO have different FQDNs. For example, web5.qa.location.domain.com vs. web5.prod.location.domain.com. If we run our main central server on syslog-ng and replace all the syslog daemon's on each system with it, can we force the FQDN to be given rather then just the base hostname and have the central log server sort the logs into different directories based on the FQDN?

Thanks!

-- sh

------------------------------------------------------------------------

_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html