[syslog-ng] Insert hostname instead of overwrite ?
Balazs Scheidler
bazsi at balabit.hu
Thu Sep 2 17:21:36 CEST 2010
On Tue, 2010-08-17 at 18:26 -0700, stucky wrote:
> Guys
>
> I'm trying to log to a loadbalanced VIP. It seems to work ok except
> that the loadbalancer uses SNAT so I loose my source IP.
> This means I cannot use dns or even the source ip to get the source
> host as all logs appear to come from the same source (the
> loadbalancer).
> This means I have no choice but to rely on the hostname field which
> works about 98% of the time but some stuff like Dell OpenManage skips
> the hostname field.
> So I'd get logs like this on host "cage" f.e.
>
> Aug 16 21:47:22 Server Administrator: Storage Service EventID: 2242
> The Patrol Read has started.: Controller 0 (PERC 5/i Integrated)
>
> I fixed that by telling the syslog-ng client to force itself to figure
> out a proper hostname and now the log looks like this
>
> Aug 17 13:51:10 cage Administrator[]: Instrumentation Service EventID:
> 1000 Server Administrator starting
>
> I thought syslog-ng inserts the hostname but by the looks of it it
> simply replaces whatever is in the expected field with the hostname it
> has just figured out.
> As you can see it overwrote the entry "Server".
> No biggie in the above case but what if this field contained valuable
> information ? I'd loose that.
> Any way to squeeze in the hostname so to speak ?
what about keep_hostname(yes) ?
--
Bazsi
More information about the syslog-ng
mailing list