[syslog-ng] Messages starting with tab not processed cleanly
Balazs Scheidler
bazsi at balabit.hu
Wed Sep 21 11:37:16 CEST 2011
On Fri, 2011-09-16 at 12:12 -0400, Jon Nathan wrote:
> * Gergely Nagy <algernon at balabit.hu> [09-16-2011 06:36]:
> >
> > The best course of action I can think of, is using a filter + rewrite
> > combination, something like the following:
> >
> > filter f_tabhost { host("\t*" type(glob)); };
> >
> > rewrite r_rewrite_taberror {
> > set("$HOST $PROGRAM $MSG", value("MSG"));
> > set("$HOST_FROM", value("HOST"));
> > set("-", value("PROGRAM"));
> > };
> >
> > log {
> > source(...);
> > filter(f_tabhost);
> > rewrite(r_rewrite_taberror);
> > destination(d_syslog);
> > flags(final);
> > };
> >
> > log {
> > source(...);
> > destination(d_syslog);
> > };
> >
> > This will set the message part appropriately, and set $HOST to
> > $HOST_FROM (which is the originating host's name, as looked up via DNS),
> > and $PROGRAM to a default value of "-".
> >
> > Provided that the sending hosts' reverse dns is the same as the host it
> > sends in syslog messages, the above blocks should do the right thing.
> >
> > (I'm not sure whether all of this is supported in 3.1, I suppose it
> > is. I only tried with 3.3, as that's what I have at hand, but according
> > to the documentation, this should work with 3.2 aswell)
> >
> > --
> > |8]
>
> Thank you Gergely, this does exactly what we want.
also, check-hostnames() could be at your service, bad-hostnames() even
allows you to specify a regexp to discover "bad" hostnames that should
rather be part of the message payload.
--
Bazsi
More information about the syslog-ng
mailing list