[syslog-ng]syslog-ng blanks in Servicename

Balazs Scheidler syslog-ng@lists.balabit.hu
Wed, 7 May 2003 13:53:45 +0200


On Wed, May 07, 2003 at 12:25:28PM +0200, Unger, Christian wrote:
> >On Wed, Apr 30, 2003 at 12:22:34PM +0200, Unger, Christian wrote:
> >> i log many informations via NT-Syslog to syslog-ng. Windows 2000 have some services with a blank in the Servicename. ex: NTDS ISAM
> >> 
> >> the log entry from syslog-ng seams as following:
> >> Apr 15 15:42:33 ntds isam[info] 700  NTDS (268) Online defragmentation is beginning a full pass on database 'C:\WINNT\NTDS\ntds.dit'.
> >> 
> >> NTDS ist NOT my hostname, thats the problem!
> >> 
> >> I think thats the problem is in RFC. But i don't read it. ( no time :[ )
> >> 
> >> is there a easy escape? or will the next version of syslog-ng have a escape?
> >
> >try check_hostname(yes)
> >
> ----
> 
> check_hostnames(yes) doesn't help.
> 
> I checked some information's with tcpdump. An I found a very interest
> handling. Syslog-ng is able to handle hostnames in syslog datagram, the
> delimiter between hostname and service name seams to be a space. So if I
> have spaces in service name syslog-ng thinks that the first word must be
> the hostname, but that's wrong. What can I do know?

sorry, check_hostname() is meant for cases when the word seeming to be a
hostname contains invalid characters (like '%'). The problem is that there
is no way to distinguish between a hostname and a programname containing a
space. The workaround I implemented was the bad_hostname() option, which
contains a regular expression which covers bad hostnames. E.g. if you have a
program that sends messages like:

Apr 28 15:13:54 snmp ctld[12345]: message

And "snmp ctld" is the program name, then you can use bad_hostname() to make
syslog-ng think that "snmp" itself is a bad hostname. (of course this will
not work if you really have a host named snmp)

options { bad_hostname("snmp"); };

bad_hostname() accepts an extended regular expression so you can list
several bad hostnames like this:

options { bad_hostname("snmp|iis|foo|bar"); };

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1