0

I am using a centralised syslog-ng loghost to collect logs and syslog-ng on some of the clients.

On one particular client, running syslog-ng on Devil Linux, syslog entries are sent ( confirmed with tcpdump ) with the following format

DATE local@hostname MESSAGE

where local is the name of the source from the config file

source local { file("/proc/kmsg" program_override("kernel: ")); unix-stream("/dev/log" max-connections(1000)); internal(); }; log { source(local); destination(console); };

Non of the other syslog-ng hosts do this, although most are Centos 5.4 running syslog-ng 2.1.4 where as this is syslog-ng version 3.05

Does anyone know why this is happening and how to stop it.

EDIT: Full config file

 @version: 3.0 ##################################################################### # define options for syslog ##################################################################### options { long_hostnames(on); flush_lines(0); time_reopen(60); use_dns (no); }; ##################################################################### # define the source pipe for all local messages ##################################################################### source local { file("/proc/kmsg" program_override("kernel: ")); unix-stream("/dev/log" max-connections(1000)); internal(); }; ##################################################################### # print all messages on tty10 ##################################################################### destination console { file("/dev/tty10"); }; log { source(local); destination(console); }; ##################################################################### # send all messages to the loghost ##################################################################### destination loghost { udp("192.168.45.15" port (514)) ; }; log { source(local); destination(loghost); }; ##################################################################### # send all messages to /var/log/messages ##################################################################### #destination logfile { file("/var/log/messages"); }; #log { source(src); destination(logfile); }; ##################################################################### # END #####################################################################
Improve this question

1 Answer 1

Reset to default
2

Normally, the "local@localhost" string is a result of either one of these config options:

chain_hostnames(yes); long_hostnames(yes);

I can't remember exactly if this one more option is involved:

keep_hostname(yes);

Please update your question with full config file.

EDIT: seems like long_hostnames(on) is at fault. Surely, some of the syslog-ng options are not only misnamed, but also very poorly documented. I've tried to re-engineer this mess and I've put the results here at FQDNs during migration from syslogd to syslog-ng

Improve this answer
3
  • I thought those option on affected received events ? The issue here is the events being sent, the local@ is added at source not destination as verified with tcpdump Commented Sep 18, 2010 at 13:50
  • Actually you're spot on, thanks. Setting long_hostnames(off) fixed the issue although looking at man pages I'm still at a loss as to why. Commented Sep 18, 2010 at 17:20
  • Also for others long_hostnames and chain_hostnames are synonyms, long_hostnames being deprecated. Commented Sep 18, 2010 at 17:21

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.