[syslog-ng] First word of log message dropped

[Fegan, Joe]

In syslog protocol the first word after the timestamp is either (a) the name of the host that sent the message or (b) the name of the application that sent the message, followed by a colon. If there is no colon it is interpreted as format (a).

-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Rudolph, Timothy L
Sent: 10 September 2009 16:27
To: syslog-ng at lists.balabit.hu
Subject: [syslog-ng] First word of log message dropped

I've recently started using syslog-ng 3.0.4 on a Solaris system to
collect logs from a number of devices and servers.  I've noticed a few
instances where the first word of a log message is dropped from the
entry written to file when comparing to the standard syslogd.

One example is a message (local1.err) that comes over the network as:

Sep 10 09:29:32 duplicate IP address 1.1.1.1 sent from link address
00:00:00:00:00:00

Without the store-legacy-msghdr flag, the resulting message in my log
file generated by syslog-ng is:

Sep 10 09:29:32 so7761 IP: address 1.1.1.1 sent from link address
00:00:00:00:00:00

If I put the store-legacy-msghdr flag in, I only get a very minor
change, no colon:

Sep 10 09:29:32 so7761 IP address 1.1.1.1 sent from link address
00:00:00:00:00:00

Is there any way I can get these entries to log correctly?

Thanks,

Tim
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html