[syslog-ng]replacing part of prog name with hostname
Noam Meltzer
tsnoam@excite.com
Sat, 4 Jan 2003 11:00:17 -0500 (EST)
--EXCITEBOUNDARY_000__519c406ef806d47dc1859ba5516001c4
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
This sounds like a nice idea, but I think that if you use such a mechanism you should also state how to find the missing field, if you don't mention it.
Also, you should think a lot of how to describe you regexp to support multi-platforms environment.
Noam
--- On Sat 01/04, Borzenkov Andrey wrote:From: Borzenkov Andrey [mailto: Andrey.Borzenkov@siemens.com]To: syslog-ng@lists.balabit.huDate: Sat, 4 Jan 2003 14:55:51 +0300Subject: RE: [syslog-ng]replacing part of prog name with hostname> > On Thu, Jan 02, 2003 at 10:43:45AM +0100, Balazs Scheidler wrote:> >> > the problem is ctlds sends a space in the program name tag, thus syslog-> ng> > interprets 'ctlds' as hostname and '6.0' as program name. as> > keep_hostname() is set to no it rewrites originating host name.> >> > Try setting keep_hostname() to yes, it will not touch the hostname then.> > Right but "ctlds" isn't the hostname, larry is. My logs are wrong either> way - I either lose half my program name or get the wrong hostname.> Either way I lose.> > Arg, I actually wrote my own syslog daemon to relay and rewrite all> these last year. The only way to fix this with syslog-ng would be to add> a feature like> > options {> bad_hostnames("ctlds","last");> };> > When syslog-ng sees either of these:> > Jan 2 15:06:47 ctlds 6.0[11718]: [0] Request error (500): Template> processing error> Jan 2 15:06:47 last message repeated 123 times> > It knows to actually shift the message over one place to the right and> stick the value of the $FULLHOST_FROM macro in there. Even if I tried> templating out the message on my own syslog-ng will still think that> "ctlds" or "last" isn't part of the message and it'll get lost.Better is to implement source templates. This way you can precisely describeinput line, so if you know your source never appends host name, you justomit this from template. Something likesource s_stream { unix-stream("/dev/log" max-connections(10)); template(DATEPROG[PID]:... );}; Cheers-andrey_______________________________________________syslog-ng maillist - syslog-ng@lists.balabit.huhttps://lists.balabit.hu/mailman/listinfo/syslog-ngFrequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!
--EXCITEBOUNDARY_000__519c406ef806d47dc1859ba5516001c4
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit
This sounds like a nice idea, but I think that if you use such a mechanism you should also state how to find the missing field, if you don't mention it.
Also, you should think a lot of how to describe you regexp to support multi-platforms environment.
Noam
<br><br> --- On Sat 01/04, Borzenkov Andrey < Andrey.Borzenkov@siemens.com > wrote:<br>From: Borzenkov Andrey [mailto: Andrey.Borzenkov@siemens.com]<br>To: syslog-ng@lists.balabit.hu<br>Date: Sat, 4 Jan 2003 14:55:51 +0300<br>Subject: RE: [syslog-ng]replacing part of prog name with hostname<br><br><br>> <br>> On Thu, Jan 02, 2003 at 10:43:45AM +0100, Balazs Scheidler wrote:<br>> ><br>> > the problem is ctlds sends a space in the program name tag, thus syslog-<br>> ng<br>> > interprets 'ctlds' as hostname and '6.0' as program name. as<br>> > keep_hostname() is set to no it rewrites originating host name.<br>> ><br>> > Try setting keep_hostname() to yes, it will not touch the hostname then.<br>> <br>> Right but "ctlds" isn't the hostname, larry is. My logs are wrong either<br>> way - I either lose half my program name or get the wrong hostname.<br>> Either way I lose.<br>> <br>> Arg, I actually wrote my own syslog daemon to relay and rewrite all<br>> these last year. The only way to fix this with syslog-ng would be to add<br>> a feature like<br>> <br>> options {<br>> bad_hostnames("ctlds","last");<br>> };<br>> <br>> When syslog-ng sees either of these:<br>> <br>> Jan 2 15:06:47 ctlds 6.0[11718]: [0] Request error (500): Template<br>> processing error<br>> Jan 2 15:06:47 last message repeated 123 times<br>> <br>> It knows to actually shift the message over one place to the right and<br>> stick the value of the $FULLHOST_FROM macro in there. Even if I tried<br>> templating out the message on my own syslog-ng will still think that<br>> "ctlds" or "last" isn't part of the message and it'll get lost.<br><br>Better is to implement source templates. This way you can precisely describe<br>input line, so if you know your source never appends host name, you just<br>omit this from template. Something like<br><br>source s_stream { unix-stream("/dev/log" max-connections(10)); template(DATE<br>PROG[PID]:... );}; <br><br>Cheers<br><br>-andrey<br><br>_______________________________________________<br>syslog-ng maillist - syslog-ng@lists.balabit.hu<br>https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>Frequently asked questions at http://www.campin.net/syslog-ng/faq.html<br><br><p><hr><font size=2 face=geneva><b>Join Excite! - <a href=http://www.excite.com target=_blank>http://www.excite.com</a></b><br>The most personalized portal on the Web!</font>
--EXCITEBOUNDARY_000__519c406ef806d47dc1859ba5516001c4--