[syslog-ng] pattern naming problems

Peter Czanik czanik at balabit.hu
Thu Oct 14 08:35:01 CEST 2010


Hello,

I ran into an interesting situation. Yesterday I created patterns for
uw-imapd. Today I looked at some log files from courier imapd and found,
that this imap implementation also uses "imapd" for $PROGRAM (and
"imapd-ssl" for port 993 connections). "imapd" and "imapd-ssl" messages
looked the same.

So, here is a list of questions:

- how to handle at file/ruleset/etc level when two applications have the
same $PROGRAM
- how to handle, when the same application uses different $PROGRAM in
different situations

Also, I took a look at postfix logs, and they look rather ugly:

Oct 13 21:35:29 ubuntu postfix/smtpd[3942]: connect from
czp.localnet[192.168.2.179]
Oct 13 21:35:29 ubuntu postfix/smtpd[3942]: 8434B41C30:
client=czp.localnet[192.168.2.179], sasl_method=PLAIN, sasl_username=czanik
Oct 13 21:35:29 ubuntu postfix/cleanup[3946]: 8434B41C30:
message-id=<4CB609F2.8 at blabla.com>
Oct 13 21:35:29 ubuntu postfix/qmgr[3570]: 8434B41C30:
from=<czanik at blabla.com>, size=619, nrcpt=1 (queue active)
Oct 13 21:35:29 ubuntu postfix/smtpd[3942]: disconnect from
czp.localnet[192.168.2.179]
Oct 13 21:35:50 ubuntu postfix/smtp[3947]: connect to
targetmachine[1.2.3.4]:25: Connection timed out
Oct 13 21:35:50 ubuntu postfix/smtp[3947]: 8434B41C30:
to=<czanik at targetmachine>, relay=none, delay=21, delays=0.02/0.01/21/0,
dsn=4.4.1, status=deferred (connect to targetmachine[1.2.3.4]:25:
Connection timed out)

This is an SMTP authentication, and then the e-mail is tried to be
delivered to targetmachine. There are many different names as $PROGRAM,
$PID also has many different values. But "8434B41C30" could easily be
used as session identifier for all of this. The question is the same:
how should pattern name be handled?
Bye,

-- 
Peter Czanik (CzP) <czanik at balabit.hu>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/




More information about the syslog-ng mailing list