On Tue, 2009-12-15 at 08:06 -0800, Larry Low wrote:
On Mon, 2009-12-14 at 08:21 -0800, Larry Low wrote:
On Fri, 2009-12-11 at 12:12 -0800, Larry Low wrote:
> In the past I used the MSG macro to get the full syslog message. Now > MSG is broken into MSG and MSGHDR. > > If a message comes in without a program name such as "exiting on signal > 15" or "last message repeated 20 times", syslog-ng incorrectly takes > the first word as the program name. Trying to rebuild it with > $MSGHDR$MSG causes an erroneous : to be placed on these messages since > $MSGHDR is filled in with "exiting" and "last".
I found a previous post and tried adding store-legacy-msghdr. The problem now is that MSGHDR still includes the first word such as "exiting" and "last" but no colon but on messages like "kernel : Kernel logging (proc) stopped.", "kernel: " is put in MSGHDR but then also placed in MSG and MSGONLY.
Noticed one more thing, if the PID is included in the syslog message then MSG and MSGONLY do not repeat process and pid when store- legacy- msghdr on.
if you enable 'store-legacy-msghdr' syslog-ng will not try hard to properly parse program/pid information from the incoming message, rather it simply stores all the characters up to the first space/colon character in MSGHDR.
But still $MSG will _not_ contain any of that. In order to get the full message you need to use
$MSGHDR$MSG
Yes but does not work when parsing "program: ". When this happens both MSGHDR and MSG include "program: ". Both "program " and "program[pid]: ", however, do get placed in MSGHDR and not repeated in MSG.
I really try to understand, but I can't. Can you please post an example log message, how you feel it should be processed and why syslog-ng doesn't do the right thing?
Thanks.
With 'store-legacy-msghdr' on.
Message = "program: I am logging something." $MSGHDR = "program: " $MSG = "program: I am logging something." $MSGHDR$MSG = "program: program: I am logging something."
I can't reproduce with either the flag set, or unset. What I did was the following: I've sent "program: I am logging something." to the UDP port opened by syslog-ng (without a full syslog header, but you didn't include that information either), the result was: MSGHDR = [program: ], MSG = [I am logging something.] MSGHDR = [program: ], MSG = [I am logging something.] Then I tried to add a complete syslog header, but it again worked: Dec 15 15:55:55 bzorp program: I am logging something. So, I'm out of ideas what the difference might be. Ah... one idea: did you mark your configuration as '@version: 3.0' properly? -- Bazsi