[syslog-ng]replacing part of prog name with hostname
Balazs Scheidler
bazsi@balabit.hu
Fri, 3 Jan 2003 10:53:37 +0100
On Thu, Jan 02, 2003 at 03:21:56PM -0800, Nate Campi wrote:
> On Thu, Jan 02, 2003 at 10:43:45AM +0100, Balazs Scheidler wrote:
> >
> > the problem is ctlds sends a space in the program name tag, thus syslog-ng
> > interprets 'ctlds' as hostname and '6.0' as program name. as
> > keep_hostname() is set to no it rewrites originating host name.
> >
> > Try setting keep_hostname() to yes, it will not touch the hostname then.
>
> Right but "ctlds" isn't the hostname, larry is. My logs are wrong either
> way - I either lose half my program name or get the wrong hostname.
> Either way I lose.
>
> Arg, I actually wrote my own syslog daemon to relay and rewrite all
> these last year. The only way to fix this with syslog-ng would be to add
> a feature like
>
> options {
> bad_hostnames("ctlds","last");
> };
>
> When syslog-ng sees either of these:
>
> Jan 2 15:06:47 ctlds 6.0[11718]: [0] Request error (500): Template processing error
> Jan 2 15:06:47 last message repeated 123 times
>
> It knows to actually shift the message over one place to the right and
> stick the value of the $FULLHOST_FROM macro in there. Even if I tried
> templating out the message on my own syslog-ng will still think that
> "ctlds" or "last" isn't part of the message and it'll get lost.
the last messages case should be covered by the function parse_log_msg()
it recognizes message repetitions and takes the complete message as message
with no host or program name:
/* Now, try to tell if it's a "last message repeated" line */
if (left >= sizeof(repeat_msg_string) &&
!memcmp(src, repeat_msg_string,
sizeof(repeat_msg_string) - 1)) {
; /* It is. Do nothing since there's no hostname or
program name coming. */
}
I will think about the bad hostname feature.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1