[syslog-ng] Insert hostname instead of overwrite ?

stucky stucky101 at gmail.com
Fri Sep 3 03:40:38 CEST 2010


Guys

We're not on the same page here. I have already addressed the missing
hostname by forcing syslog-ng to use dns to lookup its own hostname and then
insert it.
All I was asking is if I can make syslog truly "insert" the hostname.
Currently it simply overwrites whatever is in this field (This this case the
word "Server")
and replaces it with the correct hostname.
I was simply saying that this field which was just overwritten might have
contained important loginfo - that's all. It doesn't in this case but what
if it did.
So to make this clear syslog can do this

Replace "Server Administrator" with "{hostname} Administrator"

I was wondering if it could instead do this :

Replace "Server Administrator" with "{hostname} Server Administrator" in
order not to truncate the log content.

On a side node instead of using dns wouldn't it be great if syslog could do
a "gethostbyname" instead to figure out its own hostname ? Should be much
more efficient
for local log source like this.

On Thu, Sep 2, 2010 at 5:28 PM, Lance Laursen <lance at demonware.net> wrote:

> Hmm. Well, if you can't put an intermediary syslog server with use_dns
> enabled between your Dell app and the load balancer, I think you're outta
> luck. If the log message doesn't contain a hostname, and the sending IP is
> that of the load balancer, then syslog really has no way to know where the
> message came from. You could write Dell and ask them to conform to RFC
> syslog standards but I don't think that's going to happen any time soon :).
> The only other thing I can think of is that if you only have one dell
> openManage box, you could filter for something specific to those logs then
> apply a static hostname using a template. But that method sucks and doesn't
> work as soon as you have two openManage boxes forwarding syslogs.
>
>
> On Thu, Sep 2, 2010 at 3:39 PM, stucky <stucky101 at gmail.com> wrote:
>
>> That's exactly the problem. I cannot keep a hostname that was never
>> written in the first place.
>> The DELL server administrator doesn't send it. As per my email below it
>> sends this :
>>
>>
>> Aug 16 21:47:22 Server Administrator: Storage Service EventID: 2242> The
>> Patrol Read has started.:  Controller 0 (PERC 5/i Integrated)
>>
>> So If I do a "keep_hostname" syslog-ng assumes that the server is called
>> "Server" which is of course wrong.
>>
>>
>> On Thu, Sep 2, 2010 at 8:21 AM, Balazs Scheidler <bazsi at balabit.hu>wrote:
>>
>>> On Tue, 2010-08-17 at 18:26 -0700, stucky wrote:
>>> > Guys
>>> >
>>> > I'm trying to log to a loadbalanced VIP. It seems to work ok except
>>> > that the loadbalancer uses SNAT so I loose my source IP.
>>> > This means I cannot use dns or even the source ip to get the source
>>> > host as all logs appear to come from the same source (the
>>> > loadbalancer).
>>> > This means I have no choice but to rely on the hostname field which
>>> > works about 98% of the time but some stuff like Dell OpenManage skips
>>> > the hostname field.
>>> > So I'd get logs like this on host "cage" f.e.
>>> >
>>> > Aug 16 21:47:22 Server Administrator: Storage Service EventID: 2242
>>> > The Patrol Read has started.:  Controller 0 (PERC 5/i Integrated)
>>> >
>>> > I fixed that by telling the syslog-ng client to force itself to figure
>>> > out a proper hostname and now the log looks like this
>>> >
>>> > Aug 17 13:51:10 cage Administrator[]: Instrumentation Service EventID:
>>> > 1000  Server Administrator starting
>>> >
>>> > I thought syslog-ng inserts the hostname but by the looks of it it
>>> > simply replaces whatever is in the expected field with the hostname it
>>> > has just figured out.
>>> > As you can see it overwrote the entry "Server".
>>> > No biggie in the above case but what if this field contained valuable
>>> > information ? I'd loose that.
>>> > Any way to squeeze in the hostname so to speak ?
>>>
>>> what about keep_hostname(yes) ?
>>>
>>>
>>> --
>>> Bazsi
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>
>>>
>>
>>
>> --
>> stucky
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
>
>
> --
> Lance Laursen
> Demonware Systems Engineer
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>


-- 
stucky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100902/3698bc44/attachment.htm 


More information about the syslog-ng mailing list