[syslog-ng]sorting messages with no HOSTNAME in HEADER

Sat, 8 Mar 2003 12:59:45 +0100

On Fri, Mar 07, 2003 at 07:57:41PM +0100, Lars Erik Gullerud wrote:
> Is there any way to make syslog-ng understand that messages it receives
> from my external hosts will _never_ have a HOSTNAME portion in its
> HEADER, as according to the terms used in RFC3164?
> 
> I.e. my syslog-packets, regardless of the type of equipment generating
> them, always contain just a PRI, a TIMESTAMP and then the MSG. No
> HOSTNAME and no TAG.
> 
> syslog-ng seems to always want to parse the first word of the received
> MSG as a hostname (although it is always in the format
> %SOMESYSLOGMESSAGE with a leading %, for all the hardware platforms I am
> trying to log), so keep_hostnames(yes) will sort based on this as the
> hostname, while keep_hostnames(no) will correctly sort, but replace the
> actual message I want to keep with a hostname.
> 
> Now, i _know_ my packets will never have a HOSTNAME portion, so i always
> want syslog-ng to add that, but i do NOT want it to fiddle around with
> what it wrongly perceives to be a HOSTNAME in the received message. I.e.
> I want the hostname _added_, not rewritten.
> 
> Is there any way I get syslog-ng to understand this? My normal
> FreeBSD-syslogd handles this problem beautifully by default, but it's a
> pain to have to run cron-jobs periodically to sort the logs into
> per-host logfiles. Surely it's just me who is being stupid here, this
> must be possible with syslog-ng?

you have two options:

1) enable check_hostname() it validates the hostname whether contains valid
   characters only

options { check_hostname(yes); };

2) use bad_hostname() and use a regexp that always matches.

options { bad_hostname(".*"); }

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1