[syslog-ng]different message shows up on loghost than on client
Nate Campi
nate@campin.net
Fri, 9 Nov 2001 23:16:34 -0800
On Fri, Nov 09, 2001 at 09:45:34AM +0100, Balazs Scheidler wrote:
> On Thu, Nov 08, 2001 at 11:35:38PM -0800, Nate Campi wrote:
> > On Wed, Nov 07, 2001 at 05:49:00PM -0800, Nate Campi wrote:
> > >
> > > The problem is that a message like this on a solaris 2.6 box:
> > >
> > > Nov 7 04:05:45 ballys ctld 5.0.6[22164]: [0] Error: unable to read
> > > header - Status: NoMoreData.
> > >
> > > ...will arrive (via UDP) on my linux loghost (syslog-ng 1.4.12) like this:
> > >
> > > Nov 7 04:05:45 ballys.hotwired.com 5.0.6[22164]: [0] Error: unable to
> > > read header - Status: NoMoreData.
> > >
> >
> > Can anyone tell me why the program info is lost when solaris 2.6 sends
> > my message over UDP to syslog-ng 1.4.12?
>
> probably because the strange format of the message. as I read the code,
> anything after the hostname until '[' or ':' is taken part of the program
> which sent the message, at least this is true when every part of the message
> is received.
>
> try to snoop the network (or truss syslog-ng) to find out how the message
> was sent "exactly".
>
> I suspect that there's no timestamp in the message and no hostname either,
> so syslog-ng parses ctld as the hostname and 5.0.6 and programname, and
> later it replaces ctld to the hostname the given message was received from.
> (this can be changed with keep_hostname(yes or no))
So if I set "keep_hostname(yes)" I'll just get:
Nov 7 04:05:45 ctld 5.0.6[22164]: [0] Error: unable to
read header - Status: NoMoreData.
...right? Sounds like this needs a bug report with the software vendor,
assuming I can verify that their syslog messages are wrong.
--
Nate Campi http://www.campin.net GnuPG key: 0xC17AEF79
Key fingerprint = BF12 722F 8799 E614 33CC FAB7 5A90 C464 C17A EF79
A mathematician is an engine for converting coffee into theorems.