[syslog-ng] hi all.Why $HOST variable valued "250" , "250-localhost^M" ?

Jim Hendrick jrhendri at maine.rr.com
Tue Dec 1 13:19:38 CET 2009


This is due to log sources (programs generating the events) using the text "fields" in their messages for different things (which syslog-ng can only interpret as the host.

Try $HOST_FROM instead (this results in the name or address of the system from which your syslog-ng box received the messages.

NOTE: this will not preserve the original source (so if you forward through one log server, the second would see the HOST_FROM as the first, not the actual source)

Jim

-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of [????]???
Sent: Tuesday, December 01, 2009 2:51 AM
To: syslog-ng at lists.balabit.hu
Subject: [syslog-ng] hi all.Why $HOST variable valued "250" ,"250-localhost^M" ?

Hi.all
I configured syslog-ng (3)(CentOS 5) to collect logs sent by 1xx syslog
servers.(freebsd6).I got two strange dirs:
"250" and "250-localhost^M"

my syslog-ng.conf :
==============================================
source s_udp {
	udp(ip(172.16.18.10) port(514) );
};
destination d_udp_data{
file
("/data3/syslogng/logcollect/$YEAR-$MONTH-$DAY/$HOST/$FACILITY/$PROGRAM.log" 
create_dirs(yes)
template("\n$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC $SOURCEIP $PROGRAM $MSG")
);
};
=================================================
my syslog.conf

!webface.login
*.info                          /var/log/mail/webface/webface-login.log
*.*                       @172.16.18.10

=======================================



root at localhost 2009-12-01]# pwd
/data3/syslogng/logcollect/2009-12-01
[root at localhost 2009-12-01]# ls
...............
 10.55.2.35  10.55.2.46  10.55.2.57  10.55.2.68  10.55.2.79  10.55.2.90
250 250-localhost^M


[root at localhost 2009-12-01]# ls -R 250
250:
user

250/user:
2.1.0.log
[root at localhost 2009-12-01]# more 250/user/2.1.0.log 
2009-12-01 13:46:12 10.55.2.11 2.1.0 Ok^M 
2009-12-01 13:46:27 10.55.2.11 2.1.0 Ok^M 
........


[root at localhost 2009-12-01]# ls -R 250-localhost^M/
250-localhost^M/:
user

250-localhost^M/user:
250-SIZE^M.log
[root at localhost 2009-12-01]# more 250-localhost^M/user/250-SIZE^M.log 

2009-12-01 14:07:44 10.55.2.128 250-SIZE^M 250-8BITMIME^M 250
ENHANCEDSTATUSCODES^M 



-- 
祝:
        身体安康,万事如意!
________________________________________________________________
Mr. Hunter - 韩友洪     焱龙企鹅                  youhong at staff.sina.com.cn

新浪 - 产品事业部 -邮箱

MSN:hf_linux at msn.com
电话:5392
手机:15001328768
地址:北京市海淀区北四环西路58号理想国际大厦18层
________________________________________________________________
http://www.sina.com.cn                            You're the One
新浪.北京                                    一切由你开始

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html




More information about the syslog-ng mailing list