In syslog protocol the first word after the timestamp is either (a) the name of the host that sent the message or (b) the name of the application that sent the message, followed by a colon. If there is no colon it is interpreted as format (a). -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Rudolph, Timothy L Sent: 10 September 2009 16:27 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] First word of log message dropped I've recently started using syslog-ng 3.0.4 on a Solaris system to collect logs from a number of devices and servers. I've noticed a few instances where the first word of a log message is dropped from the entry written to file when comparing to the standard syslogd. One example is a message (local1.err) that comes over the network as: Sep 10 09:29:32 duplicate IP address 1.1.1.1 sent from link address 00:00:00:00:00:00 Without the store-legacy-msghdr flag, the resulting message in my log file generated by syslog-ng is: Sep 10 09:29:32 so7761 IP: address 1.1.1.1 sent from link address 00:00:00:00:00:00 If I put the store-legacy-msghdr flag in, I only get a very minor change, no colon: Sep 10 09:29:32 so7761 IP address 1.1.1.1 sent from link address 00:00:00:00:00:00 Is there any way I can get these entries to log correctly? Thanks, Tim ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html