[syslog-ng] Insert hostname instead of overwrite ?

Balazs Scheidler bazsi at balabit.hu
Fri Sep 3 13:28:54 CEST 2010


On Tue, 2010-08-17 at 18:26 -0700, stucky wrote:
> Guys
> 
> I'm trying to log to a loadbalanced VIP. It seems to work ok except
> that the loadbalancer uses SNAT so I loose my source IP.
> This means I cannot use dns or even the source ip to get the source
> host as all logs appear to come from the same source (the
> loadbalancer).
> This means I have no choice but to rely on the hostname field which
> works about 98% of the time but some stuff like Dell OpenManage skips
> the hostname field.
> So I'd get logs like this on host "cage" f.e.
> 
> Aug 16 21:47:22 Server Administrator: Storage Service EventID: 2242
> The Patrol Read has started.:  Controller 0 (PERC 5/i Integrated)
> 
> I fixed that by telling the syslog-ng client to force itself to figure
> out a proper hostname and now the log looks like this
> 
> Aug 17 13:51:10 cage Administrator[]: Instrumentation Service EventID:
> 1000  Server Administrator starting
> 
> I thought syslog-ng inserts the hostname but by the looks of it it
> simply replaces whatever is in the expected field with the hostname it
> has just figured out.
> As you can see it overwrote the entry "Server".
> No biggie in the above case but what if this field contained valuable
> information ? I'd loose that.
> Any way to squeeze in the hostname so to speak ?
> 

Well, apart from using bad_hostname() patterns to instruct syslog-ng to
assume that string is part of the message I only have one idea: in
syslog-ng 3.2 you could use the "no-hostname" flag.

Can you configure these clients to send their logs to a different
port/ip? If you can, then the following would work with pre-3.2:

source s_dell { udp(port(2000) bad_hostname(".")); };

This instructs syslog-ng that the first word after the timestamp is
never the hostname. It's simpler with 3.2 though:

source s_dell { udp(port(2000) flags(no-hostname)); };

-- 
Bazsi



More information about the syslog-ng mailing list