[syslog-ng]replacing part of prog name with hostname
Balazs Scheidler
bazsi@balabit.hu
Thu, 2 Jan 2003 10:43:45 +0100
On Tue, Dec 31, 2002 at 02:05:34PM -0800, Nate Campi wrote:
> I have syslog-ng 1.5.24 on solaris 8, reading from /etc/.syslog_door and
> I have a log entry like this:
>
> Dec 31 13:48:15 larry 6.0[8704]: [ID 702911 local0.warning] [0] Can't
> stat file in FlushFile [news/PointCast]: No such file or directory
>
> ...but the program name was sent from the app was: "ctlds 6.0[8704]:"
> and syslog-ng replaced the first part of the messed up program name with
> the host's name.
>
> In the next version, can syslog-ng "learn" that it don't get a hostname
> from solaris ever and that the entire text coming in is actually the log
> message? I'm losing information this way. I wonder how many other apps
> split up the program name and lose data - most people would never know
> as end users.
the problem is ctlds sends a space in the program name tag, thus syslog-ng
interprets 'ctlds' as hostname and '6.0' as program name. as
keep_hostname() is set to no it rewrites originating host name.
Try setting keep_hostname() to yes, it will not touch the hostname then.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1