[syslog-ng]different message shows up on loghost than on client

Nate Campi nate@campin.net
Wed, 7 Nov 2001 17:49:00 -0800


I have syslog-ng loghosts in out datacenters that receive messages via
UDP from mostly solaris syslogd. The loghosts in the datacenters then
relay the messages over TCP/stunnel to a central loghost for
archiving/analysis/input into database.

The problem is that a message like this on a solaris 2.6 box:

  Nov  7 04:05:45 ballys ctld 5.0.6[22164]: [0] Error: unable to read
  header - Status: NoMoreData.

...will arrive (via UDP) on my linux loghost (syslog-ng 1.4.12) like this:

  Nov  7 04:05:45 ballys.hotwired.com 5.0.6[22164]: [0] Error: unable to
  read header - Status: NoMoreData.

I have no idea why it would cut out the program name (ctld) like that.
Is this a known issue? This is really messing up my log tables, and I'd 
like to keep all the data straight in the database. Here's my options 
from the linux loghost:

  options { use_fqdn(yes); long_hostnames(off); keep_hostname(no);
  use_dns(yes); sync(0); };

Plus, when did it become an option to buffer messages with sync? Is is
only the in devel branch? I'd like to set sync(5) or something to take
it easy on the disk.

TIA,
-- 
Nate Campi        http://www.campin.net        GnuPG key: 0xC17AEF79   
Key fingerprint = BF12 722F 8799 E614 33CC  FAB7 5A90 C464 C17A EF79

The only way to convince some people that HTML is about content, not
style is with a 2x4 <PLANK>.