[syslog-ng]Recording relay instance

Michael Boman syslog-ng@lists.balabit.hu
20 Jun 2003 21:05:34 +0800 

--=-Za+xjM/jDYWKJu9zf+k9
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Fri, 2003-06-20 at 20:51, Hamilton, Andrew wrote:
> Probably the closest thing to that right now is chain_hostnames(on) as a
> global option.  You don't get what you really want but you get something
> like:
>=20
> 20 June 2003 12:00:00 relay/host program:.....
>=20
> as a hostname you get both the host it came through and the host it
> originated from.  There isn't a macro defined for relay but you could
> probably hack the code for chain_hostnames to give you a relay.  The only
> trouble would be figuring it out if you have more than one relay.

First off, having it in the message itself really screws up the log
analysis software (it's doing a gethostbyname() on the hostname). I have
tried it before, but it didn't work. I got hostA/hostA in the hostname
field, not hostA/relayA. That's basicly why I am asking this.

I was asking earlier (a few weeks now) where I can stick in some code
that strips out non-printable ascii characters as there is a particular
firewall brand that likes to break the RFC by sending out messages with
tab characters in it. I have the code already, but don't know where to
stick it.

> -----Original Message-----
> From: Michael Boman [mailto:michael.boman@securecirt.com]
> Sent: Friday, June 20, 2003 6:58 AM
> To: Syslog-NG ML
> Subject: [syslog-ng]Recording relay instance
>=20
>=20
> Hi,
>=20
> I have some "problems" with syslog-ng. I have it deployed in several
> networks, and some of these networks are sharing the same IP address
> range and sometimes even the same IP address for certain hosts. This
> means that I can't truly say that 192.168.51.4 is either the db server
> in network A or the web server in network B.
>=20
> I'd like to have a $RELAY macro so I can save the logs as
>=20
> /LOGS/$RELAY/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$YEAR_$MONTH_$DAY
>=20
> Where $RELAY is where the message came from (so with direct connections
> it would be the same as $HOST, but with a syslog-ng in relay mode you
> get the address/name of the relay host). Basically a "received from"
> field.
>=20
> Is this functionality planned, or does it already exist (checked out the
> documentation but didn't see anything there).
>=20
> Best regards
>  Michael Boman
Best regards
 Michael Boman

--=20
Michael Boman
Security Architect, SecureCiRT Pte Ltd
http://www.securecirt.com

--=-Za+xjM/jDYWKJu9zf+k9
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQA+8waeds5fQJiraJwRAgFpAJ9+hGvl6JPxCt0Aa07tKdIhgvivSACgkCAJ
qlEm2m5TVexAuyfN+iioxmI=
=xvYu
-----END PGP SIGNATURE-----

--=-Za+xjM/jDYWKJu9zf+k9--