Hi all,

I'm working with Sawmill log collector that it's able to import the Syslog-NG logs.

I have to export logs with a specific template() to have them corretly imported into Sawmill.

Here the regular expression used to match syslog-ng lines inside the Sawmill parser (that seem coded by "BalaBit IT Security"):
'^([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9])T([0-9][0-9]:[0-9][0-9]:[0-9][0-9])[-+][0-9][0-9]:*[0-9][0-9] ([^ ]+) ([^ ]+) ([^ ]+) (.*)$'

where matches are imported as:
1- date
2- time
3- logging_device
4- syslog_message_type
5- syslog_priority
6- v.syslog_message

I have partially re-create the template() string but I still have a couple of doubts:
template("${YEAR}-${MONTH}-${DAY}T${HOUR}:${MIN}:${SEC}+??:?? ${SOURCEIP} ${PROGRAM} ${PRIORITY} ${MSG}\n")

Make sense $PROGRAM as "message type"?
And do you have any ideas for the question marks?

Any help is appreciated. Thank you.

Saluti,

Francesco.