<br><tt><font size=2>Hi again</font></tt>
<br>
<br>
<br><tt><font size=2>First of all, I already used syslog-ng before, but
I had no idea it was doing parsing, so this is normal :p</font></tt>
<br>
<br><tt><font size=2>I changed my configuration to use the no_parse function
in the source driver of the webserver on which the syslog-ng client</font></tt>
<br><tt><font size=2>forwards the messages to the syslog server. This does
the trick. </font></tt>
<br>
<br><tt><font size=2>I don't even have to change the configuration on the
target syslog server which greatly reduces configuration file changes.</font></tt>
<br>
<br>
<br><tt><font size=2>Thx for the answer!</font></tt>
<br>
<br>
<br><tt><font size=2>Filip</font></tt>
<br>
<br>
<br>
<br>
<br><tt><font size=2>> Hi,<br>
> <br>
> > I have a weird problem with syslog-ng. I am setting up a syslog-ng<br>
> client on an Apache server which forward both access and error log
<br>
> to a central syslog-ng server.<br>
> <br>
> First of all please note that you're trying to deal with<br>
> non-standard-compliant messages. syslog-ng tries to parse the incoming<br>
> log lines trying various known syslog formats.<br>
> <br>
> > The access log on the source has entries like this:<br>
> > 10.3.154.20 - - [23/Apr/2010:13:55:25 +0200] "GET /images/userLo...<br>
> > and this becomes like this on the syslog server:<br>
> > servername 10.3.154.20: - - [23/Apr/2010:13:55:25 +0200] "GET
/images/use<br>
> <br>
> The first syslog-ng (which receives the apache log) parses the line.<br>
> There is no syslog header found so it falls back to the legacy format.<br>
> There is neither priority code nor timestamp so the IP address becomes<br>
> the program name. That's why you see it logger on the second server.<br>
> <br>
> > All ok with this one, but with the error log I get this on the
webserver:<br>
> > [Fri Apr 23 13:55:25 2010] [error] [client 10.3.154.20] File
doe...<br>
> > but this on the syslog server:<br>
> > servername Apr 23 13:55:25 2010] [error] [client 10.3.154.20]
File do...<br>
> ><br>
> > Where is the [ character at the beginning of the timestamp gone?????<br>
> <br>
> As above, this line isn't a syslog message at all. From syslog's<br>
> perspective it's more or less random junk. The trailing '[' causes<br>
> that there is no program name at all and the parser thinks the<br>
> following string up to the closing ']' is the pid like in normal logs<br>
> eg. programname[pid]<br>
> <br>
> I don't see how could this "pid" appear on the receiving
side with<br>
> only the closing brace. Please show your configs and the captured<br>
> network packet too.<br>
> <br>
> In general when an app doesn't speak syslog formats and there is no<br>
> option to format its logs properly then using the no-parse option
(on<br>
> all syslog-ng servers the log passes through) or writing a small app<br>
> which reformats the logs and feeds to syslog-ng is the way to go.<br>
> <br>
> Regards,<br>
> <br>
> Sandor<br>
> <br>
</font></tt>
<br>
<br>
<br>
<br>
<P><FONT face=Arial size=1>
<HR>
</FONT></P>
<P></P>
<P><FONT face=Arial size=1><EM>The information contained in this e-mail is for
the exclusive use of the intended recipient(s) and may be confidential,
proprietary, and/or legally privileged. Inadvertent disclosure of this
message does not constitute a waiver of any privilege. If you receive this
message in error, please do not directly or indirectly use, print, copy,
forward, or disclose any part of this message. Please also delete this
e-mail and all copies and notify the sender. Thank you. </EM></FONT></P>
<P><FONT face=Arial size=1><EM>For alternate languages please go to
</EM></FONT><A href="http://bayerdisclaimer.bayerweb.com"><FONT face=Arial
color=#0000ff size=1><EM>http://bayerdisclaimer.bayerweb.com</EM></FONT></A></P>
<P><FONT face=Arial size=1>
<HR>
</FONT>
<P></P>