[syslog-ng] Upper case $HOST

Pallagi Zoltán pzolee at balabit.hu
Mon Nov 9 11:49:02 CET 2009 

Hi,

Tim Boyer írta:
> Balazs Scheidler wrote:
>   
>> On Wed, 2009-11-04 at 15:05 -0500, Tim Boyer wrote:
>>     
>>> I'm running syslog-ng 3.03 on a RHEL5 system, sending logs to various files
>>> like so:
>>>
>>> # global log files
>>> destination deservers { 
>>>   file("/var/log/$HOST.log" owner(root) group(hobbit) perm(0640)); 
>>> };
>>>
>>> It's working fine on the Linux boxes.  But I'm using Adiscon's EventLog on
>>> my Windows machines, and the $HOST name on them are coming up in all caps.
>>>
>>> [root at buran log]# ls -la /var/log/*.log 
>>>
>>> ...
>>> -rw-r----- 1 root hobbit 282 Nov  4 14:37 /var/log/KANTECH.log
>>> -rw-r----- 1 root hobbit 535181 Nov  4 14:24 /var/log/PLCDATA.log
>>>
>>> Where's this $HOST macro get its data from?  The DNS entry is lower case;
>>> the full computer name on the Windows box is lower case.  I don't see where
>>> the upper is coming from, unless it's one of those weird Windows-to-Unix
>>> translation things.
>>>
>>> Not a big deal, but a bit of an annoyance.  Thanks for any help.
>>>
>>>       
>> I guess the client is sending the hostname in all caps, you can confirm
>> it with tcpdump.
>>
>> You can force lowercase hostnames using the option:
>>
>> normalize-hostnames(yes)
>>
>>     
>
> Balazs -
>
> Looks like I spoke too soon.  Something odd is happening.
>
> I put the option into the conf file:
>
> @version: 3.0
> #
> # global options
> #
>
> options {
>    normalize_hostnames(yes);
>    use_fqdn(no);
>    use_dns(yes);
>    dns_cache(yes);
>    keep_hostname(yes);
>    long_hostnames(off);
>    create_dirs(yes);
> }
>
>   
You should not use "keep_hostname" in the part of global options because 
this one will block rewriting of the hostname (see syslog-ng admin 
guide: 
http://www.balabit.hu/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s09.html).
If you need it really use this option in every source where you need it
> and restarted last night.  I deleted all of the upper-case log files.
>
> One worked - I've got this file:
>
> -rw-r----- 1 root hobbit 4048 Nov  6 06:13 plcdata.log
>
> but I've also got this from the same machine:
>
> -rw-r----- 1 root hobbit 4395 Nov  6 06:51 PLCDATA.log
>
> and this one hasn't changed at all:
>
> -rw-r----- 1 root hobbit 36847 Nov  6 06:56 Antivirus-2008.log
>
>
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091109/6d9c4045/attachment.htm

More information about the syslog-ng mailing list