On Thu, 2007-12-20 at 14:05 -0700, Allen Bettilyon wrote:
Thanks for the replies.
To address a few of the questions:
1) the receiving end is a splunk instance 2) I have verified the existence of the <number> with tcpdump, so its not the receiving end injecting the value. 3) The logs been written locally by syslog-ng do NOT have the number injected 4) The template didn't seem to fix the problem 5) This also happens when using the program() destination
Bellow are some details regarding the 2 tests I've ran. The numbers do change but not very quickly. I haven't been able to tell if they increment or decrement or are just random.
Quite perplexing. I think my next steps will be to recreate this issue on a totally separate node and installation of syslog-ng.
-Allen
----- details regarding the upd forwarder------------- Bellow is the destination clause in its entirety with addresses changed to protect the innocent. I've tried it with and without the NGTOKEN literal just to prove to myself that the number was not part of any of the macros.
destination forwardHost { tcp("1.1.1.1" port(1) template("NGTOKEN $ISODATE $FACILITY $LEVEL $MSG\n")); };
Just to sanity check this again, I setup a filter to match local1 traffic and forward it while doing a packet capture from the syslog host using tcpdump in ASCII mode:
13:48:16.736077 IP syslogngHost.47468 > 1.1.1.1.1: P 3847271716:3847271778(62) ack 4053481885 win 5840 <nop,nop,timestamp 11894280 1181945548> E..r4+@.@..) .
Here's a snippet of the NEWS file of syslog-ng 1.6.x: News for the 1.6.3 release Thu, 06 May 2004 11:05:46 +0200 ... * fixed afunix and afinet destination template handling, do not include the PRI value automatically, let the administrator do it explicitly in its template I think you are bitten by this problem which was fixed in 1.6.3, as you wrote, you are using 1.6.2, but if you need to update anyway, I'd recomment to update directly to 2.0.6, the 1.6.x branch is not maintained anymore. -- Bazsi