[syslog-ng] Irregular Behaviour With Snare Agent (syslog-ng or Snare?)

[wiskbroom at hotmail.com]

FYI

I've modified Snares config to not enable syslog headers, and now my logs are going into a newly created directory, same as all others.  The only difference now is that the hostname/domainname used before is not the same as what was previously being used.  The former was dictated by the logs entry, the new one uses DNS to resolve.

.vp

From: wiskbroom at hotmail.com
To: syslog-ng at lists.balabit.hu
Date: Tue, 13 May 2008 10:48:31 -0400
Subject: [syslog-ng] Irregular Behaviour With Snare Agent (syslog-ng or	Snare?)








Greetings;

I currently have syslog-ng.conf set up to place data into logs in the following way:

/var/log/MyHosts/SambaServers/$FULLHOST.log

When the logs are created, they are placed under:

/var/log/MyHosts/SambaServers/samba-1.mynet.org/samba-1.mynet.org.log

The contents for the hostname field in logs from samba-1 look like this:

May 13 10:32:55 samba-1.mynet.org/samba-1.mynet.org

Because of the double entry in syslog, all looks fine and logs are stored in nice neat folders named after the host that sent them, great.

I have however a few MS Wintel servers that I am using Snare for sending syslog data to, and their logs look like:

May 13 10:36:15 samba-2.mynet.org MSWinEventLog 1       Security

As you can see, the logs from this host do not contain the hostname twice, therefore logs for this host are stored as:

/var/log/MyHosts/SambaServers/samba-2.mynet.org.log

I can create a rule like /var/log/MyHosts/SambaServers/$FULLHOST/$FULLHOST.log for just these hosts, but that will not solve my problem long term, especially as I am considering implementing Snare site-wide.

Could someone please advise as to whether there is an easy fix for this, or should I cease using Snare?

Thanks in advance,

.vp



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20080513/5ae0544d/attachment.htm