[syslog-ng] Insert hostname instead of overwrite ?
syslogng at feystorm.net
syslogng at feystorm.net
Fri Sep 3 04:09:08 CEST 2010
I think you would be able to do this. You can set the no-parse flag on
the tcp source the bad messages come in on, and then use a filter on the
$MSG macro to grab things out. Like a pcre filter that does
'(?<PROGRAM>some.regex). I'm not certain if filters can set macros such
as PROGRAM though, but worth a shot.
Sent: Thursday, September 02, 2010 7:40:38 PM
From: stucky <stucky101 at gmail.com>
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Insert hostname instead of overwrite ?
> Guys
>
> We're not on the same page here. I have already addressed the missing
> hostname by forcing syslog-ng to use dns to lookup its own hostname
> and then insert it.
> All I was asking is if I can make syslog truly "insert" the hostname.
> Currently it simply overwrites whatever is in this field (This this
> case the word "Server")
> and replaces it with the correct hostname.
> I was simply saying that this field which was just overwritten might
> have contained important loginfo - that's all. It doesn't in this case
> but what if it did.
> So to make this clear syslog can do this
>
> Replace "Server Administrator" with "{hostname} Administrator"
>
> I was wondering if it could instead do this :
>
> Replace "Server Administrator" with "{hostname} Server Administrator"
> in order not to truncate the log content.
>
> On a side node instead of using dns wouldn't it be great if syslog
> could do a "gethostbyname" instead to figure out its own hostname ?
> Should be much more efficient
> for local log source like this.
>
> On Thu, Sep 2, 2010 at 5:28 PM, Lance Laursen <lance at demonware.net
> <mailto:lance at demonware.net>> wrote:
>
> Hmm. Well, if you can't put an intermediary syslog server with
> use_dns enabled between your Dell app and the load balancer, I
> think you're outta luck. If the log message doesn't contain a
> hostname, and the sending IP is that of the load balancer, then
> syslog really has no way to know where the message came from. You
> could write Dell and ask them to conform to RFC syslog standards
> but I don't think that's going to happen any time soon :).
> The only other thing I can think of is that if you only have one
> dell openManage box, you could filter for something specific to
> those logs then apply a static hostname using a template. But that
> method sucks and doesn't work as soon as you have two openManage
> boxes forwarding syslogs.
>
>
> On Thu, Sep 2, 2010 at 3:39 PM, stucky <stucky101 at gmail.com
> <mailto:stucky101 at gmail.com>> wrote:
>
> That's exactly the problem. I cannot keep a hostname that was
> never written in the first place.
> The DELL server administrator doesn't send it. As per my email
> below it sends this :
>
>
> Aug 16 21:47:22 Server Administrator: Storage Service EventID:
> 2242> The Patrol Read has started.: Controller 0 (PERC 5/i
> Integrated)
>
> So If I do a "keep_hostname" syslog-ng assumes that the server
> is called "Server" which is of course wrong.
>
>
> On Thu, Sep 2, 2010 at 8:21 AM, Balazs Scheidler
> <bazsi at balabit.hu <mailto:bazsi at balabit.hu>> wrote:
>
> On Tue, 2010-08-17 at 18:26 -0700, stucky wrote:
> > Guys
> >
> > I'm trying to log to a loadbalanced VIP. It seems to
> work ok except
> > that the loadbalancer uses SNAT so I loose my source IP.
> > This means I cannot use dns or even the source ip to get
> the source
> > host as all logs appear to come from the same source (the
> > loadbalancer).
> > This means I have no choice but to rely on the hostname
> field which
> > works about 98% of the time but some stuff like Dell
> OpenManage skips
> > the hostname field.
> > So I'd get logs like this on host "cage" f.e.
> >
> > Aug 16 21:47:22 Server Administrator: Storage Service
> EventID: 2242
> > The Patrol Read has started.: Controller 0 (PERC 5/i
> Integrated)
> >
> > I fixed that by telling the syslog-ng client to force
> itself to figure
> > out a proper hostname and now the log looks like this
> >
> > Aug 17 13:51:10 cage Administrator[]: Instrumentation
> Service EventID:
> > 1000 Server Administrator starting
> >
> > I thought syslog-ng inserts the hostname but by the
> looks of it it
> > simply replaces whatever is in the expected field with
> the hostname it
> > has just figured out.
> > As you can see it overwrote the entry "Server".
> > No biggie in the above case but what if this field
> contained valuable
> > information ? I'd loose that.
> > Any way to squeeze in the hostname so to speak ?
>
> what about keep_hostname(yes) ?
>
>
> --
> Bazsi
>
> ______________________________________________________________________________
> Member info:
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
>
> --
> stucky
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
>
>
> --
> Lance Laursen
> Demonware Systems Engineer
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
>
>
> --
> stucky
> ------------------------------------------------------------------------
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100902/95d352ca/attachment-0001.htm
More information about the syslog-ng
mailing list