[syslog-ng]syslog-ng mistreating data as part of the hostname ?

Nate Campi nate@campin.net
Wed, 16 Jan 2002 11:45:26 -0800 

On Wed, Jan 16, 2002 at 05:14:11PM +0100, Hildenbrand, Patrick wrote:
> some more info.
> 
> tracing the output of the SSR, the packet does not contain the hostname at
> the proper place but only the timestamp. So the output looks like
> (translated into ascii):
> <174>Jan 13 04:02:12 %ACL_LOG-I-DENY, ACL [280] on "rtfa" UDP
> 192.168.1.2:4721 -> 14.9.1.3:53

This is how Solaris and Digital Unix boxes send syslog packets too.

> The format as described in rfc3164 is only required for relays, which the
> router is not, as it is the originator of the packet. In fact in the
> standard it reads:
> 4.2 Original syslog Packets Generated by a Device
> There are no set requirements on the contents of the syslog packet as it is
> originally sent from a device. It should be reiterated here that the payload
> of any IP packet destined to UDP port 514 MUST be considered to be a valid
> syslog message. It is, however, RECOMMENDED that the syslog packet have all
> of the parts described in Section 4.1 - PRI, HEADER and MSG - as this
> enhances readability by the recipient and eliminates the need for a relay to
> modify the message. 

> Setting 'keep_hostname(yes)', the message will be displayed correctly but
> without the hostname (contrary to the normal linux syslog). I could not

Linux syslog sends messages like this:

<123>named[123]: another error from BIND, you should use djbdns

It is up to the relay/collector to input the complete header.

> fiddle out a single set of options that would have given me the output of
> the standard syslog. Any hints what I can do besides calling an external
> Program ?

I missed the beggining of this thread, is "%ACL_LOG-I-DENY" getting set
as your hostname? I had the same problem with solaris logs when the
"TAG" field had a space in it, so syslog-ng (correctly) thinks the first
part of the process name (in the "TAG") was the hostname. I wrote a
syslog proxy to overcome this, since I can't ask syslog-ng to stop
following standards.

Perhaps syslog-ng can have a configuration setting where if it receives
a certain string in the hostname field, you can set keep-hostname to no
for just that message. That would save the day for me, but I don't know
how hard it would be to implement that.
-- 
Nate Campi     http://www.campin.net    GnuPG key: 0xC17AEF79   

Fear leads to anger.  Anger leads to hate.  Hate leads to using
Windows NT for mission-critical applications.