One of the messages I'm getting (I'm sorting messages by hostname) is the "above message repeats n times" message, but syslog-ng is logging this under the host "above". Shouldn't syslog-ng decide what the hostname is by the ip address it is connected from? eg: host A connects, syslog-ng looks up the host by it's connecting ip address and uses that name resolution as the $HOST variable? (Note, in this case all hosts are in a local hosts file) So, why would it ever write to the file "above"? Is this a bug, or am I missing something? As per my previous messages, here's a quick rundown of the config: (used with 1.6.7) options { # Don't trust the sender to supply a hostname. keep_hostname(no); # Don't track relayed messages. chain_hostnames(no); # Make sure the hostnames have valid characters. check_hostname(yes); # Since we're only tracking local hosts, don't worry about the fqdn. use_fqdn(no); # As soon as we get the log entry, write it to disk. sync(0); # Set the fifo size to 1024 lines. log_fifo_size(1024); # Increase the log_msg_size to 8192 bytes. log_msg_size(8192); # If we need a directory and it doesn't exist, create it and use # the permissions shown below. create_dirs(yes); perm(0644); dir_perm(0755); # Use an internal dns cache, but don't use any dns lookups. dns_cache(yes); use_dns(no); }; source localsyslog {unix-stream("/dev/log");}; source kernellog {file("/proc/kmsg");}; source intsyslog {internal();}; source extsyslog {udp();}; destination syslog-ng {file("/logs/syslog-ng");}; destination messages {file("/var/log/messages");}; destination kernmessages {file("/var/log/kernel");}; destination hosts { file("/logs/hosts/$YEAR-$MONTH/$HOST" template("$DATE $HOST $MESSAGE\n") template_escape(yes) ); } ; destination services { file("/logs/services/$YEAR-$MONTH/$PROGRAM" template("$DATE $HOST $MESSAGE\n") template_escape(yes) ); }; filter levelfilter { level(info..emerg); }; log { source(intsyslog); destination(syslog-ng); }; log { source(localsyslog); filter(levelfilter); destination(messages);}; log { source(kernellog); destination(kernmessages);}; log { source(extsyslog); source(localsyslog); destination(hosts); }; log { source(extsyslog); source(localsyslog); destination(services); };
On Tue, 2005-05-10 at 10:12 -0600, Andrew Morris wrote:
One of the messages I'm getting (I'm sorting messages by hostname) is the "above message repeats n times" message, but syslog-ng is logging this under the host "above". Shouldn't syslog-ng decide what the hostname is by the ip address it is connected from? eg: host A connects, syslog-ng looks up the host by it's connecting ip address and uses that name resolution as the $HOST variable? (Note, in this case all hosts are in a local hosts file)
So, why would it ever write to the file "above"?
there is a separate macro for that, $HOST is the value as received in the original log message. always using the sender IP's resolved value would not be good for others using log relays. So try using $HOST_FROM or $FULLHOST_FROM -- Bazsi
Balazs Scheidler wrote:
On Tue, 2005-05-10 at 10:12 -0600, Andrew Morris wrote:
One of the messages I'm getting (I'm sorting messages by hostname) is the "above message repeats n times" message, but syslog-ng is logging this under the host "above". Shouldn't syslog-ng decide what the hostname is by the ip address it is connected from? eg: host A connects, syslog-ng looks up the host by it's connecting ip address and uses that name resolution as the $HOST variable? (Note, in this case all hosts are in a local hosts file)
So, why would it ever write to the file "above"?
there is a separate macro for that, $HOST is the value as received in the original log message. always using the sender IP's resolved value would not be good for others using log relays.
So try using $HOST_FROM or $FULLHOST_FROM
Thanks! That's exactly what I've been looking for. You might want to add those to the 1.6 documentation...
participants (2)
-
Andrew Morris
-
Balazs Scheidler