[syslog-ng] Irregular Behaviour With Snare Agent (syslog-ng or Snare?)

wiskbroom at hotmail.com wiskbroom at hotmail.com
Tue May 13 21:35:17 CEST 2008


I've modified Snares config to not enable syslog headers, and now my logs are going into a newly created directory, same as all others.  The only difference now is that the hostname/domainname used before is not the same as what was previously being used.  The former was dictated by the logs entry, the new one uses DNS to resolve.


From: wiskbroom at hotmail.com
To: syslog-ng at lists.balabit.hu
Date: Tue, 13 May 2008 10:48:31 -0400
Subject: [syslog-ng] Irregular Behaviour With Snare Agent (syslog-ng or	Snare?)


I currently have syslog-ng.conf set up to place data into logs in the following way:


When the logs are created, they are placed under:


The contents for the hostname field in logs from samba-1 look like this:

May 13 10:32:55 samba-1.mynet.org/samba-1.mynet.org

Because of the double entry in syslog, all looks fine and logs are stored in nice neat folders named after the host that sent them, great.

I have however a few MS Wintel servers that I am using Snare for sending syslog data to, and their logs look like:

May 13 10:36:15 samba-2.mynet.org MSWinEventLog 1       Security

As you can see, the logs from this host do not contain the hostname twice, therefore logs for this host are stored as:


I can create a rule like /var/log/MyHosts/SambaServers/$FULLHOST/$FULLHOST.log for just these hosts, but that will not solve my problem long term, especially as I am considering implementing Snare site-wide.

Could someone please advise as to whether there is an easy fix for this, or should I cease using Snare?

Thanks in advance,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20080513/5ae0544d/attachment.htm 

More information about the syslog-ng mailing list