On Wed, 2009-05-20 at 09:10 +0200, David - DCPC wrote:
Hello,
I'm new on syslog-ng. I use v3.0.2 on a CentOS 4.4.
I send syslog logs from a netapp FAS 2020 (*.*) to the syslog-ng server via udp.
I have problem to analyse thoses logs. the lines have a different format than the standard syslog from another unix by example and are different than the BSD or IETF standard described in the syslog-ng documentation :
(...) Tue May 19 11:27:30 CEST [netapp-L: wafl.quota.qtree.exceeded:notice]: tid 10: tree quota exceeded on volume linusers. Additional warnings will be suppressed for approximately 60 minutes or until a 'quota resize' is performed. (...)
hmm this includes an additional timezone & day information, neither of which is supported by syslog-ng in this format. These date formats are supported right now: /* RFC3339 timestamp, expected format: YYYY-MM-DDTHH:MM:SS[.frac]<+/->ZZ:ZZ */ /* PIX timestamp, expected format: MMM DD YYYY HH:MM:SS: */ /* LinkSys timestamp, expected format: MMM DD HH:MM:SS YYYY */ /* RFC 3164 timestamp, expected format: MMM DD HH:MM:SS ... */
1°) When i use it in syslog-ng i get this line in a sample extraction without filter : (...) May 19 11:27:30 netapp-b wafl.quota.qtree.exceeded:notice]: tid 10: tree quota exceeded on volume linusers. Additional warnings will be suppressed for approximately 60 minutes or until a 'quota resize' is performed.
hmm.. I don't see how the timestamp was recognized, but I'm adding your message to the testcases to see how.... I did, as it seems that syslog-ng assumes there's no date in the message (since it is not recognized), then the first word is recognized as the name of the program (e.g. $PROGRAM becomes Tue, since that's the first word)
(...) (difference between host named should come from the renaming of hosts during tests, and dns aliases, don't think this is the problem).
Is it possible to correct the processus that parse the original line ? it seems that the parser block can be used only for the $MESSAGE part of the line.
you can use the 'no-parse' flag on your source, which means that the complete incoming line is put in $MSG and the rest ($DATE and $HOST are filled based on the reception information, e.g. the reception date and the host that sent the message)
2°) It want to use other macro to make some filter and destination, like $PROGRAM. Is it possible to 'debug' the processing and have a details of macros and their contents, line by line ?
if you enable --debug option you can get debug output on filter evaluation. -- Bazsi