[syslog-ng] Specific log messages have wrong hostname

Jim Hendrick jrhendri at maine.rr.com
Thu Mar 18 13:05:39 CET 2010

Another option could be to use $HOST_FROM. At our site, we used the hostname
as part of the directory path, and we were seeing hostnames that were quite
strange appaering from time to time until we switched to using $HOST_FROM in
the destination path. The problem is that a number of "syslog" messages are
not formatted correctly, so the parser pulls out incorrect portions of the
log message interpreting them as the host name.

The downside is that we end up with directories by IP address instead of
hostname, but the upside is we are no longer dependent on how every
application formats their log messages. 

(Caveat: If you forward messages more than once, you would get the address
of the sending server, not the originating system.)


-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Balazs Scheidler
Sent: Thursday, March 18, 2010 6:17 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Specific log messages have wrong hostname

On Fri, 2010-03-12 at 13:02 -0500, Christopher Jon Caldwell wrote:
> All of the syslog messages sent by our Solaris servers that contain output
from the service processor are getting the wrong hostname assigned to them -
the log messages get filed under the hostname of the receiving syslog-ng
server. They all share the same process name "SC Alert". The packets look
correctly formed so I am assuming it is the space in the process name. Any
way to fix this without dropping the messages completely using something
like bad_hostname? We are running 2.1.11a Enterprise Edition.

bad_hostname() was invented for this purpose. Or the 3.0.x versions
provide rewrite functionality that lets you fix things like this.


Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

More information about the syslog-ng mailing list