> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of [email protected] > Sent: Thursday, July 08, 2010 3:22 AM > To: rsyslog-users > Subject: Re: [rsyslog] logging hostnames > > On Wed, 7 Jul 2010, Joe Williams wrote: > > > David, > > > > Thanks, I think you're right: > > > > <14>Jul 2 21:25:38 HOSTNAME log message > > > > vs > > > > <149>customer:[<0.20341.5496>] IPADDR log message > > > > The latter is the message that our server is sending. > > yep, there's no timestamp or hostname in the message. This is a failry > common way to malform syslog messages, and the standard thing to do is > to > use the current time as the timestamp and use the IP address (or > reverse > DNS lookup) as the hostname > > if you can get the srver to change it's log format you should start > seeing > the hostname correctly, short of this you have to settle for what you > can > get from the IP address.
David is absolutely right, but I would like to mention that a way to address such things (if you can use the IPADDR from the log message) is to write a custom message parser. Rsyslog has recently enhanced to provide this facility for solving such common malformed message issues. If you can not write one yourself, Adiscon offers to write message parsers for little money (provided the parser is contributed back to the project). As a side-note, my hope is that over time we will get a set of parsers that address most of the malformed messages we see... Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
