On Sun, 2007-12-30 at 08:22 -0800, Evan Rempel wrote:
MSG is not sufficient because it forces the message, program and PID to be controlled as one piece. My example of recreating the original syslog record was overly simplistic and can be accomplished as you indicate with the MSG expansion.
I had forgotten about PID which seems appropriate, PROVIDED it is not required to be numeric. We have a few applications that use the text between the [] as an instance name and is made up of letters and numbers.
All of the more complicated examples I can think of are for data mining purposes and as such go through an external program that places the syslog data into a storage engine (database). In all of these cases, external parsing of the program[pid] can be done. IMHO it would be cleaner to parse the message in syslog-ng to create an output stream that has all of the message pieces broken apart
DATE HOST FACILITY PRIORITY PROGRAM PID MSGONLY
and this seems to have been addressed by the PID, with the one caveate that it must accept non-numeric data.
It does. -- Bazsi