<span class="Apple-style-span" style="border-collapse: collapse; "><span style="border-collapse: collapse; ">Hello, <div><br></div><div>I'm new on syslog-ng.</div><div>I use v3.0.2 on a CentOS 4.4.</div><div><br></div>
<div>I send syslog logs from a netapp FAS 2020 (*.*) to the syslog-ng server via udp.</div><div><br></div><div>I have problem to analyse thoses logs. the lines have a different format than the standard syslog from another unix by example and are different than the BSD or IETF standard described in the syslog-ng documentation :<br clear="all">
</div><div>(...)</div><div><div>Tue May 19 11:27:30 CEST [netapp-L: wafl.quota.qtree.exceeded:notice]: tid 10: tree quota exceeded on volume linusers. Additional warnings will be suppressed for approximately 60 minutes or until a 'quota resize' is performed.</div>
<div>(...)</div><div><br></div><div>1°) When i use it in syslog-ng i get this line in a sample extraction without filter :</div><div>(...)</div></div></span><div>May 19 11:27:30 netapp-b wafl.quota.qtree.exceeded:notice]: tid 10: tree quota exceeded on volume linusers. Additional warnings will be suppressed for approximately 60 minutes or until a 'quota resize' is performed.</div>
<div>(...)</div><div>(difference between host named should come from the renaming of hosts during tests, and dns aliases, don't think this is the problem).</div><div><br></div>Is it possible to correct the processus that parse the original line ? it seems that the parser block can be used only for the $MESSAGE part of the line.<div>
<br></div><div>2°) It want to use other macro to make some filter and destination, like $PROGRAM. Is it possible to 'debug' the processing and have a details of macros and their contents, line by line ?</div><div>
<br></div><div>Thx</div><div><br></div><div>(sorry for the first miss)</div></span>-- <br>Salutations,<br>David CHALON<br>