[syslog-ng] bugreport for 1.9.5 on solaris
Roberto Nibali
ratz at drugphish.ch
Sat Oct 8 01:53:06 CEST 2005
>> When skimming through the old code I extract that the regexp will be
>> applied to all hostnames matching in a log message. Dumb question:
>> what's the use case of this and why isn't there a general regexp function?
>
> It's for solaris-style network messages that leave out the hostname, but
> then send a badly formatted message (I know this is from a Linux host
> but bear with me):
>
> <13>Oct 7 14:03:28 device eth0 entered promiscuous mode
>
> The above message should be easy to figure out that there's no hostname
> because the second field doesn't have a colon like a message from
> postfix would have (I'm just arbitrarily assigning 13 as the PRI):
>
> <13>Oct 7 14:22:56 postfix/smtpd[9753]: lost connection after RCPT
> from 1Cust4795.an3.chi30.da.uu.net[63.26.50.187]
>
> But what happens if you have a program name on a solaris host that has a
> space in it?
>
> <13>Oct 7 14:22:56 ctld 8.9[123]: this is a dumb message
>
> ...then syslog-ng will assume that the hostname is ctld - when that's
> not right, the program name is "ctld 8.9". Using bad_hostnames() we can
> tell syslog-ng which strings our site sends that really aren't
> hostnames.
This should be in the man page ;). So how do you set bad_hostname in
your example? bad_hostname("ctld")? But in this case you better not have
a host named ctld.
> Simple as that. Comes in handy at every site for things like "last
> message repeated xx times", I'd imagine. When you use the $HOST macro
> this becomes critical to avoid using the wrong hostnames.
I need to check out how we do the syslog configuration for our customers.
> Make sense?
Thanks, Nate. Yes it does, but does it handle all possible cases? Maybe
the Pareto principle applies ...
Thanks and regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
More information about the syslog-ng
mailing list