[syslog-ng]hostnames matching problem still unsolved

Keith McDuffee keithm@etnus.com
Fri, 19 Jan 2001 09:24:28 -0500


I posted this last month but I'm still surprised nobody else has run into
this problem, so I'm giving it one more shot:

One problem I've found after installing syslog-ng 1.4.10 on a Solaris 2.6
system is with repeating messages, especially those originating from remote
hosts.  For example, here's some lines from my config file:

----
source s_udp { udp(); };

destination d_udp { file("/var/log/remote/$HOST.$FACILITY"); };

filter f_udp { level(notice) or
                    (facility(local0) and level(info)) or
                    (facility(local1) and level(info)) or
                    (facility(local2) and level(info)); };

log ( source(s_udp); filter(f_udp); destination(d_udp); };
----

Using this configuration, I get files in /var/log/remote that look like
this:

hostname1.local0
hostname2.local2
hostname1.auth
last.local2

See that "last.local2"?  Well, "last" is not a host -- it's taking it from
the log message and mistakenly turning it into a hostname.  Here's a line
from "last.local2":

---
Dec 22 10:14:13 last message repeated 2 times
---

Any idea at all how to fix that besides making a filter for any hosts named
"last"?

Thanks,

Keith