On Thu, 2011-01-13 at 13:06 -0500, Champ Clark III [Softwink] wrote:
You seem to want only the message part of the log entry. With syslog-ng, $MSG contains the program too, and if you want the message part only, you should try $MSGONLY in the template. That should do just what you want.
By the way, there's excellent documentation about syslog-ng macros, which explains the difference between $MSG and $MSGONLY at http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid...
Thank you for the reply. I thought I'd RTFM'ed, but obviously not enough. It sounds like $MSGONLY is exactly what I need.
On second read, $MSG's behaviour seems to be dependent upon what version of syslog-ng you're using. According to the documentation, syslog-ng prior to 3.0 had the program name and the pid in $MSG, in 3.0 and past that, $MSG is synonymous to $MSGONLY. I'm not sure whether <3.0 contains $MSGONLY, but if they do, then all is well, and one can use the same macro for all versions. -- |8]