[syslog-ng] bugreport for 1.9.5 on solaris

Nate Campi nate at campin.net
Fri Oct 7 23:26:59 CEST 2005 

On Sat, Oct 08, 2005 at 01:17:59AM +0200, Roberto Nibali wrote:
> >The other thing is that "bad_hostname()" isn't implemented in 1.9.5, but
> >I'm sure you already knew that. The 2.0 reference guide lists this as a
> >supported option though. Just FYI.
> 
> I feel a bit stupid, but what exactly does this do? Reading the docs it 
> says:
> 
> "A regexp which matches hostnames which should not be taken as such."
> 
> Reading the NEWS entry of 1.6.8, I learn:
> 
>      * Added bad_hostname() feature where the administrator can specify
>        a regular expression to match bad hostnames, works around bad
>        programs such as ctld which uses a space within its program name.
> 
> When skimming through the old code I extract that the regexp will be 
> applied to all hostnames matching in a log message. Dumb question: 
> what's the use case of this and why isn't there a general regexp function?

It's for solaris-style network messages that leave out the hostname, but
then send a badly formatted message (I know this is from a Linux host
but bear with me):

 <13>Oct  7 14:03:28 device eth0 entered promiscuous mode

The above message should be easy to figure out that there's no hostname
because the second field doesn't have a colon like a message from
postfix would have (I'm just arbitrarily assigning 13 as the PRI):

 <13>Oct  7 14:22:56 postfix/smtpd[9753]: lost connection after RCPT
 from 1Cust4795.an3.chi30.da.uu.net[63.26.50.187]

But what happens if you have a program name on a solaris host that has a
space in it?

 <13>Oct  7 14:22:56 ctld 8.9[123]: this is a dumb message

...then syslog-ng will assume that the hostname is ctld - when that's
not right, the program name is "ctld 8.9". Using bad_hostnames() we can
tell syslog-ng which strings our site sends that really aren't
hostnames.

Simple as that. Comes in handy at every site for things like "last
message repeated xx times", I'd imagine. When you use the $HOST macro
this becomes critical to avoid using the wrong hostnames.

Make sense?
-- 
Nate

There is no reason for any individual to have a computer in their home.
   --Ken Olson, President of DEC, World Future Society Convention, 1977

More information about the syslog-ng mailing list