On Wed, 2008-01-02 at 09:45 +0530, Anant Athavale wrote:
Dear List,
I am redirecting a system log of one server to a centralized log server running syslog-ng. When we redirect, syslog-ng adds its own datetime stamp before the actual log entry for each line. Due to this, one of the log processing software does not recognize the format and does not generate any reports. If I remove those 4 fields (Month Name, Date, Year and IP address) for ex: Jan 2 2008 10.10.10.10 (here 10.10.10.10 is the IP address of the system whose logs are getting stored in central log server) that log processing software works as expected and generates report.
Is it possible that, I can block those fields getting recorded. If yes, how? and if not, what is the alternative?
Syslog-ng tries to parse the time stamp of the original message, and if it is not in a proper format, it assumes the timestamp is part of the message itself and adds a complete syslog header, that's why you see that a timestamp is prepended. Can you show us an example of the original message? Once the timestamp is parsed syslog-ng regenerates it according to the template used and the ts_format() global option. -- Bazsi