[syslog-ng] patternize and IPv6 hosts
Balazs Scheidler
bazsi at balabit.hu
Thu Feb 24 13:26:07 CET 2011
On Thu, 2011-02-24 at 12:07 +0100, Valentijn Sessink wrote:
> Hi,
>
> Just a small remark. If you run pdbtool with "patternize" on a log file
> with logs from an IPv6 host, pdbtool thinks that everything after the
> first ":" is the log message. For example, the log message:
>
> Feb 24 11:39:26 2a01:4f8:8a0:5141::3c2 named[31090]: lame server
> resolving ....
>
> ... will be patternized as if the logging host were "2a01" and if the
> pattern should be:
> <pattern>4f8:8a0:5141::3c2 named[31090]: lame server resolving
> ....</pattern>
>
> I searched around in the patternize code, but could not find the
> particular code where the host got cut off. However, for someone a bit
> at home in this code, I think the fix should be trivial.
hmm.. this is not the patternize code that has a problem, but rather the
RFC3164 message parsing code, which assumes that ':' is terminating the
hostname and marks the beginning of the log message. And this is quite
impossible to get out as it'd break a lot of applications out there.
wow, I don't know how to solve this properly within the scope of RFC3164
style parsing.
RFC5424 should be ok though, but I guess this is written in the logfile
now.
--
Bazsi
More information about the syslog-ng
mailing list