[syslog-ng] Logging to dirs with $HOST gives me strange results

Balazs Scheidler bazsi at balabit.hu
Tue Apr 15 17:50:03 CEST 2008 

The format of the log message is not very definite with BSD syslog,
therefore syslog-ng uses some heuristics.

If the sending IP address is always accurate, you can ask syslog-ng to
use that instead by using keep_hostname(no)


On Mon, 2008-04-14 at 11:51 +0200, Markus Strangl wrote:
> Hi syslog-ng users,
> 
> I'm running a central syslog-ng 2.0.6 server with a rather simple ruleset, 
> just to collect copies of the
> syslogs from a bunch of machines. They are running Solaris 9 and 10, with 
> the onboard syslog,
> forwarding with syslog.conf "*.alert    @logso01".
> 
> Syslog-NG's logging targets are set up like that:
> source net { udp(); };
> destination messages { file("/logs/$HOST/messages"); };
> log { source(net); filter(f_high); destination(messages); };
> 
> Options are set to use the /etc/hosts file, and all hosts are listed 
> there.
> In theory, this should give me one directory for each hosts that's 
> forwarding its log messages.
> 
> However, in practice, I get quite a lot of useless directories as well, 
> that don't match any real host.
> root at logso01:/logs>ls
> \"/            \011Corrupt/   \011PLOGI/     \011SONY_AIT/  \011got/ 
> \011offline/ 
> \011/          \011Error/     \011SCSI/      \011failed/    \011i/ 
> \011transport/ 
> (C)             SC              admso01-qfs     archso03-mgm    nrgdev   
> nrgstg          jumpso01-qfs    testso01
> nrgso01  US              archso01-mgm    archsrv-qfs     nrgprod1-qfs 
> epldev          logso01         testso02-qfs
> All             Use             archso01-xfcu   by nrgprod2-qfs    for    
> prodso01-mgm
> IBM             Use,            archso02-mgm    cutapsrv nrgprod3-qfs 
> gconfd          stgaoma
> Licensed        Version         archso02-xfcu   delso01-sn nrgso01-qfs 
> ddpso01-qfs     svnso01-mgm
> 
> It looks like under some condition, syslog-ng doesn't use the source 
> hostname for the $HOST
> config directrive, but the first word of the log message. Is this a 
> (known?) bug, or is there any way
> to circumvent that behaviour? Please advise.
> 
> Yours
>         Markus
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
-- 
Bazsi

More information about the syslog-ng mailing list