Hi,<br><br>System information where this problem has been discovered:<br>OS: AIX 5.3<br>Syslog NG version: 1.6.9<br>libol: 0.3.17<br><br>aixhost53:<br><13>Mar 22 10:11:50 src@aixhost53 auth|security:info sshd[454900]: Connection from
<a href="http://192.168.10.20">192.168.10.20</a> port 42498<br><13>Mar 22 10:11:50 src@aixhost53 auth|security:info sshd[454900]: Failed none for root from <a href="http://192.168.10.20">192.168.10.20</a> port 42498 ssh2
<br><br><br>As you can see above, the AIX 5.3 system syslogd appends the facility and priority level to the message. I found no way<br>to stop AIX's syslogd doing this nasty thing.<br>Nevertheless when syslog-ng receives this message it is unable to parse the fields correctly because it reads
<br>eg. "auth|security:info" as program name. <br><br>I've spend a quick look at the code, namely 'macros.c' where it reads "colon = memchr(msg->msg->data, ':', msg->msg->length);"<br>in line 398
<br>macros.c:<br>...<br> case M_MSGONLY: {<br> char *colon;<br> int ofs;<br><br> colon = memchr(msg->msg->data, ':', msg->msg->length);<br><br> if (!colon) {
<br> ofs = 0;<br> }<br> else {<br> // origofs = (colon - (char *) msg->msg->data) + 2;<br> ofs = (colon - (char *) msg->msg->data) +6;
<br> if (ofs > msg->msg->length)<br> ofs = msg->msg->length;<br> }<br> length = append_string(dest, left, (char *) msg->msg->data + ofs, msg->msg->length - ofs, escape);
<br> break;<br> }<br><br>...<br><br>syslog-ng.conf:<br>destination tempfile { file("/tmp/syslog-ng.debug" template("$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC $HOST $MSGONLY\n") template-esc
<br>ape(yes)); };<br><br>The syslog-ng.conf destination entry above causes that the message is cut off at "nfo sshd ...." and thus MSGONLY would read 'nfo sshd[454900]: Connection from <a href="http://192.168.10.20">
192.168.10.20</a> port 42498'<br>instead of "Connection from <a href="http://192.168.10.20">192.168.10.20</a> port 42498"<br><br>@Balazs: could you investigate this, if there is a fix possible for this "parsing error" ?
<br><br>thx<br>Jochen<br>