[syslog-ng]Issue with syslog-ng and process-names with spaces

Jason Haar syslog-ng@lists.balabit.hu
Mon, 17 May 2004 17:14:49 +1200


Hi there

I don't know if this is a bug with syslog-ng-1.6.4 or NTsyslog (which
generated the syslog record), but we have a problem with records generated
by some NT applications showing up "corrupted" within syslog-ng. 

Namely it thinks the hostname is the process name.

However, looking with a sniffer shows what is really going on:

NTSyslog records generally look like:

<(facility tag)>May 17 14:22:22 security[success] blah blah

and syslog-ng records that as

timestamp PTR-record security[success] blah blah


However, what if the process name has spaces in it? It looks like

<(facility tag)>May 17 14:22:22 trend user alert micro scanmail for microsoft \
 exchange[warning]: (msg)

syslog-ng records that as

timestamp trend user alert micro scanmail...


I think syslog-ng is looking at the first word as the process name, and if
it doesn't "look like a process name", then it assumes it must be the
hostname?

Config is:

options { use_dns(yes);
          use_fqdn(yes);
	  dns_cache(no);
	  time_reopen(10);
	  keep_hostname(no);
	  use_time_recvd(yes);
	  log_fifo_size(100);
          mark(0);
          stats(0);
	  sync(5);
	};
		     
Does that sound correct, and is there something I can do to stop it? 

Thanks

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1