[syslog-ng]syslog-ng mistreating data as part of the hos tname ?

Nate Campi nate@campin.net
Fri, 18 Jan 2002 10:35:28 -0800


On Thu, Jan 17, 2002 at 08:48:23AM +0100, Hildenbrand, Patrick wrote:
> On Wed, Jan 16, 2002 at 07:45:26PM +0100, Nate Campi wrote:
> >On Wed, Jan 16, 2002 at 05:14:11PM +0100, Hildenbrand, Patrick wrote:
> >
> ><123>named[123]: another error from BIND, you should use djbdns

> my debugging showed the prio beeing only two digits (ex. <23>) but yes and
> the difference is, 

The PRI is between 0 (one digit) and 192 (3 digits), no leading 0's
unless it is the number zero. This variance is normal.

> there is even no timestamp, why this case is explicitly covered in the RFC,
> while the case of the cabeltron ssr is not. This is probably also why
> syslog-ng does not have a problem with this case, it gets logged as:
> 	Jan 17 08:11:21 hwdf0006/hwdf0006 PAM_pwdb[22525]: (sshd) session
> close
> so syslog-ng correctly adds time and hostname to the log entry.
> The format of linux (and others) is:
> <Prio>message
> The format of the SSR is:
> <Prio>datetime<space>message

Solaris does it the same way. No hostname is ever sent, but the rest
of the HEADER is sent.

> The format the RFC suggests is:
> <Prio>datetime{space}hostname{space}message
> 
> >It is up to the relay/collector to input the complete header.

> this is my understanding from the rfc too, but how do I get this using
> syslog-ng ?

You cannot. I had to write a proxy that inserts the hostname before the
message. syslog-ng is following the RFC (before it was even written ;),
it cannot know whether a string is a hostname or the beginning of the
message. It has to assume that if the rest of the HEADER is there, the
hostname must be correct.

> 
> >I missed the beggining of this thread, is "%ACL_LOG-I-DENY" getting set
> >as your hostname? I had the same problem with solaris logs when the
> >"TAG" field had a space in it, so syslog-ng (correctly) thinks the first
> >part of the process name (in the "TAG") was the hostname. I wrote a
> >syslog proxy to overcome this, since I can't ask syslog-ng to stop
> >following standards.

> as said above, there is one space between date and message but according to
> the standard, 
> there is no standard on how devices do send their messages
> >Perhaps syslog-ng can have a configuration setting where if it receives
> >a certain string in the hostname field, you can set keep-hostname to no
> >for just that message. That would save the day for me, but I don't know
> >how hard it would be to implement that.

> Well I would vote for getting a setting just the other way around, so for
> being able to configure something like
> options( addhostname(<pattern>) 
> which would lead to the hostname being added if the pattern is matched and
> the pattern then being treated as part of the message.
> For me this just would be a '^%' as every message of the ssr is prepended
> with the percent sign ;-)

D'oh! That's actually what I meant, I sent off the message too fast and
didn't feel like replying to my own message with a correction.

> BTW: I do not know how the linux syslog does it, but it does not have this
> problem. Maybe because '%' is not a valid char for hostnames. linux syslog
> is a pretty standard syslog I'd guess, though you could argue, wether  this
> is correct according to the standard. Linux syslog displays the message
> above as:
> Jan 13 04:02:12 1.2.3.4 %ACL_LOG-I-DENY, ACL [280] on "rtfa" UDP
> 192.168.1.2:4721 -> 14.9.1.3:53
> so it automagically adds the ip address to the message. Again maybe because
> of the '%' and ',' signs inside the string at the <hostname> position.

Balazs, could syslog-ng do the same here please? You haven't reponded to
any of my message lately asking for input on feature requests. Maybe I'm
so out of line you just don't want to respond :(
-- 
Nate Campi     http://www.campin.net    GnuPG key: 0xC17AEF79   

If you tell them, they never listen. If they listen, they never
learn. If they learn, they never remember. If they remember, they
never obey.