[syslog-ng] 1.3.17 and $PROGRAM

=?ISO-8859-1?Q?John_K=E4llstr=F6m?= john@math.uu.se
Tue, 22 Feb 2000 11:05:47 +0100 (MET) 

Hello!

I have the exact same problem. I hadn't even thought of using $PROGRAM
until I read about it in this thread. So I whacked together a very short
syslog-ng.conf for testing.

-------
options { long_hostnames(off); sync(0); };

source src { unix-stream("/dev/log"); internal(); udp(ip(0.0.0.0)
port(514)); };

destination d_program { file("/var/syslog/$HOST/$PROGRAM"); };
destination d_facility  {file("/var/syslog/$HOST/$FACILITY"); };

log                     { source("src"); destination("d_facility"); };
log                     { source("src"); destination("d_program"); };
-------

$HOST expands nicely but $PROGRAM and $FACILITY do not, unless the log
message comes from the local machine. If the message is received via
network everything ends up in "/var/syslog/$HOST/(NULL)"

Here is an extract from one of the (NULL)-files.

Feb 22 11:02:07 anarchy automount[13284]: running expiration on path /home
Feb 22 11:02:07 anarchy automount[13284]: expired /home/fredrik
Feb 22 11:02:07 anarchy automount[13284]: expired /home/fredrik
Feb 22 11:02:07 anarchy automount[13284]: expired /home/www
Feb 22 11:06:08 anarchy PAM_pwdb[13289]: (su) session opened for user news
by (u
id=9)
Feb 22 11:06:08 anarchy PAM_pwdb[13289]: (su) session closed for user news
Feb 22 11:07:07 anarchy automount[13334]: running expiration on path /home
Feb 22 11:07:07 anarchy automount[13334]: expired /home/fredrik
Feb 22 11:07:07 anarchy automount[13334]: expired /home/fredrik
Feb 22 11:07:07 anarchy automount[13334]: expired /home/www
Feb 22 11:08:32 anarchy logger: testing
Feb 22 11:08:44 anarchy logger: testing again :-)     
Feb 22 11:10:03 anarchy sshd[13339]: log: Connection from 130.238.149.103
port 1021
Feb 22 11:10:04 anarchy sshd[13339]: fatal: Connection closed by remote
host.

/John





On Tue, 22 Feb 2000, Balazs Scheidler wrote:

> > 
> > Feb 21 15:53:56 floyd/floyd sshd[12597]: Accepted password for red from
> > 209.144.112.109 port 1050
> > Feb 21 15:54:01 floyd/floyd su[12608]: + pts/2 red-root
> > Feb 21 16:00:07 floyd/floyd ntpdate[12633]: adjust time server
> > 209.144.112.3 offset 0.094803 sec
> 
> I couldn't reproduce the problem. It worked great here, and created the
> files as needed.
> 
> -- 
> Bazsi
> PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
>      url: http://www.balabit.hu/pgpkey.txt
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> http://lists.balabit.hu/mailman/listinfo/syslog-ng
>