syslog-ng, network logging & hostnames

humbletech99 · 05-05-2006, 10:56 AM

I've got a syslog-ng central logging server on gentoo with many clients of varying distros running either syslog-ng or classic syslogd. I've got the output directory as:

Code:

destination d_hosts { file("/var/log/NETWORK/$HOST/$FACILITY-$YEAR-$MONTH-$DAY"); };

but I've notived that some machines which have more than one name have created two separate directories under /var/log/NETWORK.

I want to know how to force the central server to use only their hostname, not the names by which some applications may consider themselves. I've been looking at the FAQ at balabit.com, in particular the global options "use_dns" and "keep_hostnames" but these seem to only give the opions to either use the hostnames from the logs which vary (I believe it's these that's causing the problems), or use dns which can cause a possible DoS if the host isn't resolvable or the dns server reboots or whatever...

Any suggestions?

mackdav · 05-06-2006, 10:32 AM

I use syslog-ng and have seen $HOST expand to things like NETWORK or whatever. The problem is that the originating application on the originating host is sending badly-formed messages to it's local syslog, and really there isn't much you can do about that on the central loghost -- the messages were broke before they got there.