[syslog-ng]different message shows up on loghost than on client

Balazs Scheidler bazsi@balabit.hu
Fri, 9 Nov 2001 09:45:34 +0100


On Thu, Nov 08, 2001 at 11:35:38PM -0800, Nate Campi wrote:
> On Wed, Nov 07, 2001 at 05:49:00PM -0800, Nate Campi wrote:
> > 
> > The problem is that a message like this on a solaris 2.6 box:
> > 
> >   Nov  7 04:05:45 ballys ctld 5.0.6[22164]: [0] Error: unable to read
> >   header - Status: NoMoreData.
> > 
> > ...will arrive (via UDP) on my linux loghost (syslog-ng 1.4.12) like this:
> > 
> >   Nov  7 04:05:45 ballys.hotwired.com 5.0.6[22164]: [0] Error: unable to
> >   read header - Status: NoMoreData.
> > 
> 
> Can anyone tell me why the program info is lost when solaris 2.6 sends
> my message over UDP to syslog-ng 1.4.12?

probably because the strange format of the message. as I read the code,
anything after the hostname until '[' or ':' is taken part of the program
which sent the message, at least this is true when every part of the message
is received.

try to snoop the network (or truss syslog-ng) to find out how the message
was sent "exactly".

I suspect that there's no timestamp in the message and no hostname either,
so syslog-ng parses ctld as the hostname and 5.0.6 and programname, and
later it replaces ctld to the hostname the given message was received from.
(this can be changed with keep_hostname(yes or no))

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1