[syslog-ng]syslog entries without hostnames

David Douthitt ssrat@mailbag.com
Tue, 19 Jun 2001 16:12:49 -0500 

Brad Arlt wrote:
> 
> On Tue, Jun 19, 2001 at 02:56:33PM -0500, David Douthitt wrote:
> > Jun-XX XX:XX:XX folly* last message repeated 5 times
> >
> > ...and the log might look like this:
> >
> > Jun-XX XX:XX:XX folly su: access denied
> > Jun-XX XX:XX:XX folly* last message repeated 5 times
> > Jun-XX XX:XX:XX folly --mark--
> >
> > Well?

> The problem I can see with this is there isn't really a way to tell
> in, "last message repeated 5 times" that the word "last" is not a
> hostname (I'm not that intimate with the protocol so I could be
> wrong).

Sure there is - that's my idea.  With this change, syslog-ng would see
"last", and would look up last.mydomain.local (or whatever) and find
out that one of the following is true:

1) last.mydomain.local doesn't exist;
2) last.mydomain.local has a different IP address from the other end
of the syslog connection
3) last.mydomain.local does exist and does use that IP address.

In your example, #1 or #2 would be true; thus then the line would be
prepended with the correct hostname and a flag '*' ...

> One could simply prepend a hostname to the line (with a
> delimiter), and this would side step the issue.  The down side is you
> may get messages like: "folly*folly last message repeated 5 times"

And you would get LOTS of them....

> While typing I recall that 1.5.x has some sort of template
> functionality, if there is a "remote host IP" macro then you may be
> able to do this now.

Hmmmm.... interesting.

> I can see this happening semi frequently in the enviroment, I setup
> boxes with one name, but the name the rest of the world uses.  This is
> more a product of my laziness than anything else.  But I prefer to log
> IP addresses anyway, so the point is moot (for me atleast :).

That would almost work, except in my environment I use the hostname to
split up the different syslogs - so some would be in
myhost.mydomain.local, and some would be in 192.168.9.33 ....right?

> Or in the hosts file.  Yes, I know you loose flexability, but you do
> gain speed, and reliability.

You gain speed, but NOT reliability.  If you change your host's IP
address, all the hosts files will be incorrect.  That's not
reliability.

If course, the file will still be there when the DNS server goes down
- but that doesn't happen right?