[syslog-ng] bugreport for 1.9.5 on solaris

Roberto Nibali ratz at drugphish.ch
Sat Oct 8 01:53:06 CEST 2005

>> When skimming through the old code I extract that the regexp will be 
>> applied to all hostnames matching in a log message. Dumb question: 
>> what's the use case of this and why isn't there a general regexp function?
> It's for solaris-style network messages that leave out the hostname, but
> then send a badly formatted message (I know this is from a Linux host
> but bear with me):
>  <13>Oct  7 14:03:28 device eth0 entered promiscuous mode
> The above message should be easy to figure out that there's no hostname
> because the second field doesn't have a colon like a message from
> postfix would have (I'm just arbitrarily assigning 13 as the PRI):
>  <13>Oct  7 14:22:56 postfix/smtpd[9753]: lost connection after RCPT
>  from 1Cust4795.an3.chi30.da.uu.net[]
> But what happens if you have a program name on a solaris host that has a
> space in it?
>  <13>Oct  7 14:22:56 ctld 8.9[123]: this is a dumb message
> ...then syslog-ng will assume that the hostname is ctld - when that's
> not right, the program name is "ctld 8.9". Using bad_hostnames() we can
> tell syslog-ng which strings our site sends that really aren't
> hostnames.

This should be in the man page ;). So how do you set bad_hostname in 
your example? bad_hostname("ctld")? But in this case you better not have 
a host named ctld.

> Simple as that. Comes in handy at every site for things like "last
> message repeated xx times", I'd imagine. When you use the $HOST macro
> this becomes critical to avoid using the wrong hostnames.

I need to check out how we do the syslog configuration for our customers.

> Make sense?

Thanks, Nate. Yes it does, but does it handle all possible cases? Maybe 
the Pareto principle applies ...

Thanks and regards,
Roberto Nibali, ratz
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc

More information about the syslog-ng mailing list