[syslog-ng] weird "program name:" shortening to just "name:"
Balazs Scheidler
bazsi at balabit.hu
Thu Jul 3 14:15:30 CEST 2008
On Thu, 2008-07-03 at 10:53 +0100, Hari Sekhon wrote:
> Hi,
>
> I've just noticed something very odd in syslog-ng. It shortens the
> program name without my consent.
>
> When I try something like this:
>
> logger -t 'Oracle Test Version' testing
>
> I get in the logs:
>
> Jul 3 10:37:08 hostname Version: testing
>
> so it has reduced 'Oracle Test Version' to just 'Version' without my
> permission...
>
> I've done this same test on another server using the classic version of
> syslog and it works as expected:
>
> Jul 3 10:49:06 hostname2 Oracle Test Version: testing
>
> I have verified this looks broken across 2 syslog-ng servers and my
> workstation, but I have no idea why. Does syslog-ng have some specific
> reason for mangling this? Is there a workaround? (other than just
> changing to Oracle_Test_Version which I have verified works since it's
> one word)
the grammar of the syslog line format is ambigious. if you have a space
in your application name it is not possible to determine which is the
hostname and which is the application name.
This is a full log message:
Jul 3 10:49:06 hostname2 Oracle: testing
However some syslogds omit the 'hostname2' part, when it becomes:
Jul 3 10:49:06 Oracle: testing
This has to be properly recognized. However given your example of adding
a space:
Jul 3 10:49:06 Oracle Test: testing
This might be interpreted two ways:
* a message which came from a host named 'Oracle' and an application
called 'Test'
* a message which came from a syslogd which did not supply the
hostname, the application called 'Oracle Test'
For this very reason syslog-ng supports a regexp called as
"bad_hostnames()". If you specify a regexp that matches known
applications that put space in their name, syslog-ng will properly
recognize the application.
E.g. specify bad_hostnames("^Oracle") in your global options.
--
Bazsi
More information about the syslog-ng
mailing list