[syslog-ng]replacing part of prog name with hostname
Balazs Scheidler
bazsi@balabit.hu
Mon, 6 Jan 2003 10:24:27 +0100
On Sat, Jan 04, 2003 at 12:50:30PM -0800, Nate Campi wrote:
> On Sat, Jan 04, 2003 at 02:55:51PM +0300, Borzenkov Andrey wrote:
> > > It knows to actually shift the message over one place to the right and
> > > stick the value of the $FULLHOST_FROM macro in there. Even if I tried
> > > templating out the message on my own syslog-ng will still think that
> > > "ctlds" or "last" isn't part of the message and it'll get lost.
> >
> > Better is to implement source templates. This way you can precisely describe
> > input line, so if you know your source never appends host name, you just
> > omit this from template. Something like
> >
> > source s_stream { unix-stream("/dev/log" max-connections(10)); template(DATE
> > PROG[PID]:... );};
>
> You missed the fact that before you ever get around to templating, part
> of the program name is *already* lost. It's too late for that.
he meant 'source templates' to specify how to parse messages. while that
would be interesting it is less than trivial.
I'm trying to hack a bad_hostname() feature right now.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1