[syslog-ng]syslog-ng mistreating data as part of the hos tname ?

Hildenbrand, Patrick patrick.hildenbrand@sap.com
Thu, 17 Jan 2002 08:48:23 +0100 

On Wed, Jan 16, 2002 at 07:45:26PM +0100, Nate Campi wrote:
>On Wed, Jan 16, 2002 at 05:14:11PM +0100, Hildenbrand, Patrick wrote:
>> some more info.
>> 
>> tracing the output of the SSR, the packet does not contain the hostname
at
>> the proper place but only the timestamp. So the output looks like
>> (translated into ascii):
>> <174>Jan 13 04:02:12 %ACL_LOG-I-DENY, ACL [280] on "rtfa" UDP
192.168.1.2:4721 -> 14.9.1.3:53

this is the ascii converted hexdump of the package, there is only a single
space between date and message.

> [ ... ]
>
>Linux syslog sends messages like this:
>
><123>named[123]: another error from BIND, you should use djbdns
my debugging showed the prio beeing only two digits (ex. <23>) but yes and
the difference is, 
there is even no timestamp, why this case is explicitly covered in the RFC,
while the case of the cabeltron ssr is not. This is probably also why
syslog-ng does not have a problem with this case, it gets logged as:
	Jan 17 08:11:21 hwdf0006/hwdf0006 PAM_pwdb[22525]: (sshd) session
close
so syslog-ng correctly adds time and hostname to the log entry.
The format of linux (and others) is:
<Prio>message
The format of the SSR is:
<Prio>datetime<space>message
The format the RFC suggests is:
<Prio>datetime{space}hostname{space}message

>It is up to the relay/collector to input the complete header.
this is my understanding from the rfc too, but how do I get this using
syslog-ng ?

>I missed the beggining of this thread, is "%ACL_LOG-I-DENY" getting set
>as your hostname? I had the same problem with solaris logs when the
>"TAG" field had a space in it, so syslog-ng (correctly) thinks the first
>part of the process name (in the "TAG") was the hostname. I wrote a
>syslog proxy to overcome this, since I can't ask syslog-ng to stop
>following standards.
as said above, there is one space between date and message but according to
the standard, 
there is no standard on how devices do send their messages
>Perhaps syslog-ng can have a configuration setting where if it receives
>a certain string in the hostname field, you can set keep-hostname to no
>for just that message. That would save the day for me, but I don't know
>how hard it would be to implement that.
Well I would vote for getting a setting just the other way around, so for
being able to configure something like
options( addhostname(<pattern>) 
which would lead to the hostname being added if the pattern is matched and
the pattern then being treated as part of the message.
For me this just would be a '^%' as every message of the ssr is prepended
with the percent sign ;-)

still do not know how much work it would be but .....

BTW: I do not know how the linux syslog does it, but it does not have this
problem. Maybe because '%' is not a valid char for hostnames. linux syslog
is a pretty standard syslog I'd guess, though you could argue, wether  this
is correct according to the standard. Linux syslog displays the message
above as:
Jan 13 04:02:12 1.2.3.4 %ACL_LOG-I-DENY, ACL [280] on "rtfa" UDP
192.168.1.2:4721 -> 14.9.1.3:53
so it automagically adds the ip address to the message. Again maybe because
of the '%' and ',' signs inside the string at the <hostname> position.

>-- 
>Nate Campi     <http://www.campin.net>    GnuPG key: 0xC17AEF79   

Kind regards,

Patrick Hildenbrand

> Patrick Hildenbrand
> Operations & Technology 
> SAP Hosting AG & Co. KG
> Raiffeisenring 45
> 68789 St. Leon-Rot, Germany
> T   +49/6227/7-66410
> F   +49/6227/7-66301
> E   patrick.hildenbrand@sap.com
> http://www.saphosting.com
>