We have a problem where we have a device type logging with hostnames like slot1/devicename. Unfortunately, when the logs are written to disk, only the slot1 is written; since we have a number of devices, this prevents us from knowing which device sent the logs. We did a packet capture to confirm that on the wire, the hostname is slot1/devicename
options {
long_hostnames(off);
sync(0);
perm(0640);
stats(3600);
chain_hostnames(on);
keep_hostname(on);
create_dirs(on);
bad-hostname("^[0-9][0-9]*$");
}
source s_in {
udp();
tcp(max-connections(255)); };
}
destination s_files {
file (
"/opt/syslog-ng/$HOST/$FACILITY-$HOUR.log"
template("$DATE $HOST $MSG\n")
template_escape(no)
);
};
log { source(s_in); destination(s_files); }
This is syslog-ng-2.0.9-27.34.39.2 on SUSE Linux Enterprise Server 11 SP4
My guess is that syslog-ng doesn't expect the hostname to contain a slash, so it assumes that the first part of that string is the hostname. It either drops the second part, or assumes it belongs to the next field of the message. Check the value of the $PROGRAM macro, it might contain the devicename you are looking for. (If not, check also the $HOST_FROM, $FULLHOST_FROM and the $FULLHOST macros.)
If yes, you can modify the destination filename to /$HOST-$PROGRAM/, or something similar (and probably also use a filter and a separate log path for this device so the new template does not mess up the directory names of the devices that are working fine).
If that does not solve the problem, newer versions of syslog-ng can parse and rewrite log messages in a number of ways that can solve this problem, but for that you'll need to install a more recent version (2.0.9 is ancient).
HTH, Robert