[syslog-ng]Issue with syslog-ng and process-names with spaces
Balazs Scheidler
syslog-ng@lists.balabit.hu
Mon, 17 May 2004 10:05:11 +0200
2004-05-17, h keltezéssel 07:14-kor Jason Haar ezt írta:
> Hi there
>
> I don't know if this is a bug with syslog-ng-1.6.4 or NTsyslog (which
> generated the syslog record), but we have a problem with records generated
> by some NT applications showing up "corrupted" within syslog-ng.
>
> Namely it thinks the hostname is the process name.
>
> However, looking with a sniffer shows what is really going on:
>
> NTSyslog records generally look like:
>
> <(facility tag)>May 17 14:22:22 security[success] blah blah
>
> and syslog-ng records that as
>
> timestamp PTR-record security[success] blah blah
>
>
> However, what if the process name has spaces in it? It looks like
>
> <(facility tag)>May 17 14:22:22 trend user alert micro scanmail for microsoft \
> exchange[warning]: (msg)
>
> syslog-ng records that as
>
> timestamp trend user alert micro scanmail...
>
>
> I think syslog-ng is looking at the first word as the process name, and if
> it doesn't "look like a process name", then it assumes it must be the
> hostname?
yes, exactly. when there are two words before the first '[' or ':' it
assumes the first is the hostname the second is the program name. The
program name may not contain spaces per RFC3164.
there's the bad_hostnames() and check_hostname() options, which might
help, provided there are no hosts containing the substring 'trend'
options { bad_hostnames("^trend$"); };
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1