Syslog-ng log format

syslog-ng

I am using a centralised syslog-ng loghost to collect logs and syslog-ng on some of the clients.

On one particular client, running syslog-ng on Devil Linux, syslog entries are sent ( confirmed with tcpdump ) with the following format

DATE local@hostname MESSAGE

where local is the name of the source from the config file

source local { file("/proc/kmsg" program_override("kernel: ")); unix-stream("/dev/log" max-connections(1000)); internal(); };

log { source(local); destination(console); };

Non of the other syslog-ng hosts do this, although most are Centos 5.4 running syslog-ng 2.1.4 where as this is syslog-ng version 3.05

Does anyone know why this is happening and how to stop it.

EDIT: Full config file


@version: 3.0

#####################################################################
# define options for syslog
#####################################################################
options { long_hostnames(on); flush_lines(0); time_reopen(60); use_dns (no); };

#####################################################################
# define the source pipe for all local messages
#####################################################################
source local { file("/proc/kmsg" program_override("kernel: ")); unix-stream("/dev/log" max-connections(1000)); internal(); };

#####################################################################
# print all messages on tty10
#####################################################################
destination console { file("/dev/tty10"); };
log { source(local); destination(console); };

#####################################################################
# send all messages to the loghost
#####################################################################

destination loghost { 
 udp("192.168.45.15" port (514)) ;
 };
log { source(local); destination(loghost); };

#####################################################################
# send all messages to /var/log/messages
#####################################################################
#destination logfile { file("/var/log/messages"); };
#log { source(src); destination(logfile); };

#####################################################################
# END
#####################################################################

Best Answer

Normally, the "local@localhost" string is a result of either one of these config options:

chain_hostnames(yes);
long_hostnames(yes);

I can't remember exactly if this one more option is involved:

keep_hostname(yes);

Please update your question with full config file.

EDIT: seems like long_hostnames(on) is at fault. Surely, some of the syslog-ng options are not only misnamed, but also very poorly documented. I've tried to re-engineer this mess and I've put the results here at FQDNs during migration from syslogd to syslog-ng

Related Topic