[syslog-ng]syslog-ng mistreating data as part of the hos tname ?
Nate Campi
nate@campin.net
Sat, 19 Jan 2002 20:40:25 -0800
On Sat, Jan 19, 2002 at 10:06:27PM +0100, Balazs Scheidler wrote:
>
> Message parsing is as follows: (it's in the file log.c, function
> parse_log_msg)
>
> * parse priority if present (decided based on the first chracter)
> * skip white space if present
> * check if we have something that looks like date
> * if we have date:
> * skip white space after date
> * check if we have an AIX "forwarded for" or a "last message repeated" message
> * if nothing is special, we look for the first word up to ' ' or ':' or '['
> * if the first word isended by a space, it is taken as hostname, otherwise as programname
Perhaps we could make this:
* if the first word is ended by a space *and doesn't match the conf file param bad_hostnames(),* it is taken as hostname, otherwise as programname. *If the hostname matches bad_hostnames(), the result of gethostbyaddr() is inserted as the hostname, with the original value of the hostname field pushed into the message contents.*
So bad_hostnames() could be a list of string that are known program
names that show up as hostnames in our logs. I have software that sends
the prog name like this "ctld 5.0.6:" - so syslog-ng thinks "ctld" is the
hostname (solaris system so network syslog packets are transmitted
without the hostname field). If I could tell syslog-ng that "ctld" is
*not* a hostname, and this would be great.
bad_hostnames("ctld"; "ctlds"; "cmd";);
> * if we don't have date:
> * the first word up to ' ' or '[' or ':' or '/' or ',' or '<' is taken as programname
>
Thanks for all your hard work on syslog-ng, Balazs.
--
Nate Campi http://www.campin.net GnuPG key: 0xC17AEF79
"#define QUESTION ((bb) || !(bb))" - Shakespeare