[syslog-ng] syslog-ng incorrectly parsing some messages
Nate Campi
nate at campin.net
Tue Nov 8 05:21:21 CET 2005
On Mon, Nov 07, 2005 at 09:45:15PM -0500, Crayola wrote:
>
> I have noticed in my syslog-ng database (mysql) that there are
> many entries like these. (two separate rows)
>
> This is the original syslog messages that the Solaris 9 client
> logs to its logs.
>
> Nov 5 22:37:20 lefou scsi: [ID 365881 kern.info] /sbus at a,0/QLGC,isp at 1,10000
> (isp1):
> Nov 5 22:37:20 lefou Firmware Version: v1.37.5, Customer: 15, Product: 0
This problem is fully explained here:
http://www.campin.net/syslog-ng/syslog.html
It's because when syslog-ng sees it, Solaris has left off the hostname.
It looks like this (I made up the PRI value, in case anyone is
wondering):
<13>Nov 5 22:37:20 Firmware Version: v1.37.5, Customer: 15, Product: 0
...and syslog-ng sees a completely valid message with a hostname
"Firmware" and a program name "Version:". This happens to everyone who
uses Solaris syslogd clients sooner or later, and it is exactly the
reason that the bad_hostname() option was created.
This means that you can do one of two things:
1. replace Solaris syslogd with syslog-ng (easy if you run something
like cfengine to automate the installs, hard if not, and it might cause
problems with vendor support)
2. put this in your config file:
options {
bad_hostname("Firmware");
...whatever else...
};
The example Solaris syslog-ng config file has bad_hostname() in it:
http://www.campin.net/syslog-ng/solaris-conf.txt
--
Nate
"A C program is like a fast dance on a newly waxed dance floor by people
carrying razors." - Waldi Ravens.
More information about the syslog-ng
mailing list