[syslog-ng]replacing part of prog name with hostname
Balazs Scheidler
bazsi@balabit.hu
Fri, 3 Jan 2003 10:48:51 +0100
On Thu, Jan 02, 2003 at 03:28:49PM -0500, Noam Meltzer wrote:
> I thing you confused it a little...
> According to my last message (and a similar thread I created recently)
> The problem with the hostname resolving of Solaris is fixed with using:
>
> keep_hostname(no)
>
> But, I would really like to understand what's going on in there.
> Is my assumption correct?
No. syslog-ng parses the incoming message, but the format of messages is
_very_ vague. Depending on the sender the message itself can have many form.
The problem here was the sender program contains a space, and Solaris
syslogd does not add originating hostname to its local messages (unless it
relays the message) Thus it is not possible to decide whether the message
received contains 'hostname' & 'program' or a single 'program' but with a
space in it.
keep_hostname() is not a solution, just a workaround, so syslog-ng itself
does not rewrite the hostname. The filter expression host('^hostname$')
would still use the part before the space (e.g. the program name).
The solution is to fix the sender program, no better workaround exists in
syslog-ng.
Nate, the problem does not apply to local messages only, it happens to cases
when Solaris sends these messages via UDP. It is not a solution to simply
assume that there is no hostname for local messages
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1