Ok, good news then. In the meantime I use $MESSAGE and "cut -c13-5010" does the trick. Regards Steven -----Message d'origine----- De : syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] De la part de Balazs Scheidler Envoyé : mercredi 1 octobre 2008 11:16 À : Syslog-ng users' and developers' mailing list Objet : Re: [syslog-ng] $MSGONLY bad output On Tue, 2008-09-30 at 17:44 +0200, Steven wrote:
Thanks for your attention
Syslog-ng receives good data, as it seems (when no modification on output is done, all data is written to log file).
If I use template t_IIS { template("$MESSAGE\n"); template_escape(no); }
Then the output in logfile is : IISWebLog 0 2008-09-30 14:02:40 GET (...)
This is not standard syslog format, thus syslog-ng parses the complete string into the "MESSAGE" part of the syslog (both the IISWebLog header and the date are part of the message, no date header is present). MSGONLY in this case assumes that the message is in the format: program[pid]: payload Thus it searches for the first colon and expands to "payload". In your case you cannot use MSGONLY as the message is not in syslog format. I almost finished syslog-ng OSE 3.0 backports, and that has features that you could use.
If I use $MSGONLY instead of $MESSAGE then I get : 02:40 GET (...)
What I should have is : 2008-09-30 14:02:40 GET (...)
Date and hours gets truncated.
-- Bazsi ____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html