Is there any way to make syslog-ng understand that messages it receives from my external hosts will _never_ have a HOSTNAME portion in its HEADER, as according to the terms used in RFC3164? I.e. my syslog-packets, regardless of the type of equipment generating them, always contain just a PRI, a TIMESTAMP and then the MSG. No HOSTNAME and no TAG. syslog-ng seems to always want to parse the first word of the received MSG as a hostname (although it is always in the format %SOMESYSLOGMESSAGE with a leading %, for all the hardware platforms I am trying to log), so keep_hostnames(yes) will sort based on this as the hostname, while keep_hostnames(no) will correctly sort, but replace the actual message I want to keep with a hostname. Now, i _know_ my packets will never have a HOSTNAME portion, so i always want syslog-ng to add that, but i do NOT want it to fiddle around with what it wrongly perceives to be a HOSTNAME in the received message. I.e. I want the hostname _added_, not rewritten. Is there any way I get syslog-ng to understand this? My normal FreeBSD-syslogd handles this problem beautifully by default, but it's a pain to have to run cron-jobs periodically to sort the logs into per-host logfiles. Surely it's just me who is being stupid here, this must be possible with syslog-ng? /leg
On Fri, Mar 07, 2003 at 07:57:41PM +0100, Lars Erik Gullerud wrote:
Is there any way to make syslog-ng understand that messages it receives from my external hosts will _never_ have a HOSTNAME portion in its HEADER, as according to the terms used in RFC3164?
I.e. my syslog-packets, regardless of the type of equipment generating them, always contain just a PRI, a TIMESTAMP and then the MSG. No HOSTNAME and no TAG.
syslog-ng seems to always want to parse the first word of the received MSG as a hostname (although it is always in the format %SOMESYSLOGMESSAGE with a leading %, for all the hardware platforms I am trying to log), so keep_hostnames(yes) will sort based on this as the hostname, while keep_hostnames(no) will correctly sort, but replace the actual message I want to keep with a hostname.
Now, i _know_ my packets will never have a HOSTNAME portion, so i always want syslog-ng to add that, but i do NOT want it to fiddle around with what it wrongly perceives to be a HOSTNAME in the received message. I.e. I want the hostname _added_, not rewritten.
Is there any way I get syslog-ng to understand this? My normal FreeBSD-syslogd handles this problem beautifully by default, but it's a pain to have to run cron-jobs periodically to sort the logs into per-host logfiles. Surely it's just me who is being stupid here, this must be possible with syslog-ng?
you have two options: 1) enable check_hostname() it validates the hostname whether contains valid characters only options { check_hostname(yes); }; 2) use bad_hostname() and use a regexp that always matches. options { bad_hostname(".*"); } -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Sat, 2003-03-08 at 12:59, Balazs Scheidler wrote:
you have two options:
1) enable check_hostname() it validates the hostname whether contains valid characters only
options { check_hostname(yes); };
Thank you, this was exactly what I needed - I did not even know about this option, as I was using syslog-ng from the FreeBSD ports collection, who was still at 1.4.7, where it appears this option is not supported. The FreeBSD port was updated to 1.6.0rc1 on friday, and after upgrading syslog-ng and trying this, it is now working beautifully. /leg
participants (2)
-
Balazs Scheidler
-
Lars Erik Gullerud