[syslog-ng] First word of log message dropped

Balazs Scheidler bazsi at balabit.hu
Fri Sep 11 13:13:13 CEST 2009 

On Thu, 2009-09-10 at 18:33 +0000, Fegan, Joe wrote:
> In syslog protocol the first word after the timestamp is either (a) the name of the host that sent the message or (b) the name of the application that sent the message, followed by a colon. If there is no colon it is interpreted as format (a).
> 

and there's a workaround for this issue: use the bad_hostnames() regexp
to specify which words should not be accounted as a hostname.

e.g. you need

bad_hostnames("^duplicate$")

which will cause syslog-ng to recognize that duplicate is not a
hostname, rather a program name and everything after it the message
payload:

HOST=<sender IP address or resolved DNS name>
PROGRAM=duplicate
MSG=IP address 1.1.1.1 sent from link address 00:00:00:00:00:00

If you don't use store-legacy-msghdr this is what you'll get:

<datetime> <sender host> duplicate: IP address

and with store-legacy-msghdr the colon will be omitted.

> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Rudolph, Timothy L
> Sent: 10 September 2009 16:27
> To: syslog-ng at lists.balabit.hu
> Subject: [syslog-ng] First word of log message dropped
> 
> I've recently started using syslog-ng 3.0.4 on a Solaris system to
> collect logs from a number of devices and servers.  I've noticed a few
> instances where the first word of a log message is dropped from the
> entry written to file when comparing to the standard syslogd.
> 
> One example is a message (local1.err) that comes over the network as:
> 
> Sep 10 09:29:32 duplicate IP address 1.1.1.1 sent from link address
> 00:00:00:00:00:00
> 
> Without the store-legacy-msghdr flag, the resulting message in my log
> file generated by syslog-ng is:
> 
> Sep 10 09:29:32 so7761 IP: address 1.1.1.1 sent from link address
> 00:00:00:00:00:00
> 
> If I put the store-legacy-msghdr flag in, I only get a very minor
> change, no colon:
> 
> Sep 10 09:29:32 so7761 IP address 1.1.1.1 sent from link address
> 00:00:00:00:00:00
> 
> Is there any way I can get these entries to log correctly?
> 
> Thanks,
> 
> Tim
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> 
-- 
Bazsi

More information about the syslog-ng mailing list