[syslog-ng]replacing part of prog name with hostname
Borzenkov Andrey
Andrey.Borzenkov@siemens.com
Sat, 4 Jan 2003 14:55:51 +0300
>=20
> On Thu, Jan 02, 2003 at 10:43:45AM +0100, Balazs Scheidler wrote:
> >
> > the problem is ctlds sends a space in the program name tag, thus =
syslog-
> ng
> > interprets 'ctlds' as hostname and '6.0' as program name. as
> > keep_hostname() is set to no it rewrites originating host name.
> >
> > Try setting keep_hostname() to yes, it will not touch the hostname =
then.
>=20
> Right but "ctlds" isn't the hostname, larry is. My logs are wrong =
either
> way - I either lose half my program name or get the wrong hostname.
> Either way I lose.
>=20
> Arg, I actually wrote my own syslog daemon to relay and rewrite all
> these last year. The only way to fix this with syslog-ng would be to =
add
> a feature like
>=20
> options {
> bad_hostnames("ctlds","last");
> };
>=20
> When syslog-ng sees either of these:
>=20
> Jan 2 15:06:47 ctlds 6.0[11718]: [0] Request error (500): Template
> processing error
> Jan 2 15:06:47 last message repeated 123 times
>=20
> It knows to actually shift the message over one place to the right =
and
> stick the value of the $FULLHOST_FROM macro in there. Even if I tried
> templating out the message on my own syslog-ng will still think that
> "ctlds" or "last" isn't part of the message and it'll get lost.
Better is to implement source templates. This way you can precisely =
describe
input line, so if you know your source never appends host name, you =
just
omit this from template. Something like
source s_stream { unix-stream("/dev/log" max-connections(10)); =
template(DATE
PROG[PID]:... );};=20
Cheers
-andrey