[syslog-ng]syslog-ng blanks in Servicename

Christian Osbahr syslog-ng@lists.balabit.hu
Wed, 7 May 2003 14:31:21 +0200

I just installed syslog-ng, and had a similar experience with a certain
type of switches (Alteon's). Only in this case the syslog messages were
formatted so that syslog-ng saw the level as the hostname (i.e. my
syslog files would be named e.g. NOTICE.log when using $HOST.log for the
filename). Using the bad_hostname() option, as described below, solved
the problem. However, the question this is all leading to is this: When
a hostname is matched by the bad_hostname option, what mechanism does
syslog-ng use to establish a new name?

Best regards,

-----Original Message-----
From: Balazs Scheidler [mailto:bazsi@balabit.hu]=20
Sent: 7. maj 2003 13:54
To: syslog-ng@lists.balabit.hu
Subject: Re: [syslog-ng]syslog-ng blanks in Servicename

On Wed, May 07, 2003 at 12:25:28PM +0200, Unger, Christian wrote:
> >On Wed, Apr 30, 2003 at 12:22:34PM +0200, Unger, Christian wrote:
> >> i log many informations via NT-Syslog to syslog-ng. Windows 2000=20
> >> have some services with a blank in the Servicename. ex: NTDS ISAM
> >>=20
> >> the log entry from syslog-ng seams as following:
> >> Apr 15 15:42:33 ntds isam[info] 700  NTDS (268) Online=20
> >> defragmentation is beginning a full pass on database=20
> >> 'C:\WINNT\NTDS\ntds.dit'.
> >>=20
> >> NTDS ist NOT my hostname, thats the problem!
> >>=20
> >> I think thats the problem is in RFC. But i don't read it. ( no time

> >> :[ )
> >>=20
> >> is there a easy escape? or will the next version of syslog-ng have=20
> >> a escape?
> >
> >try check_hostname(yes)
> >
> ----
> check_hostnames(yes) doesn't help.
> I checked some information's with tcpdump. An I found a very interest=20
> handling. Syslog-ng is able to handle hostnames in syslog datagram,=20
> the delimiter between hostname and service name seams to be a space.=20
> So if I have spaces in service name syslog-ng thinks that the first=20
> word must be the hostname, but that's wrong. What can I do know?

sorry, check_hostname() is meant for cases when the word seeming to be a
hostname contains invalid characters (like '%'). The problem is that
there is no way to distinguish between a hostname and a programname
containing a space. The workaround I implemented was the bad_hostname()
option, which contains a regular expression which covers bad hostnames.
E.g. if you have a program that sends messages like:

Apr 28 15:13:54 snmp ctld[12345]: message

And "snmp ctld" is the program name, then you can use bad_hostname() to
make syslog-ng think that "snmp" itself is a bad hostname. (of course
this will not work if you really have a host named snmp)

options { bad_hostname("snmp"); };

bad_hostname() accepts an extended regular expression so you can list
several bad hostnames like this:

options { bad_hostname("snmp|iis|foo|bar"); };

PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C
8EB1 _______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html