On Wed, 2011-08-17 at 11:09 +0200, Balazs Scheidler wrote:
On Mon, 2011-08-08 at 17:04 +0200, Javi Polo wrote:
El 08/06/2011 06:56 PM, Balazs Scheidler escribió:
As you can see, the program_name has dissapeared I suspect is a bug, but I'm not sure as there might be some change in syslog-ng behaviour that I did miss :? flags(dont-store-legacy-msghdr)
I wanted to explain why, but I'm in a hurry, probably in an upcoming post. (the flag might be called no-store-..., can't remember exactly)
Thanks! I found an explanation there http://bazsi.blogs.balabit.com/2010/05/small-incompatible-change-for-3-1/
However, it still doesnt work As the flag 'dont-store-legacy-msghdr' is set on the 'source' statement in the logserver host, it seems it doesnt affect the syslog-ng generating the log, which stripes the program from the log-line
I tried to put 'dont-store-legacy-msghdr' flag in the originating host, under 'destination' statement, but syslog-ng complains that the flag is invalid there ...
I have switched back to syslog-ng 3.0 till I can resolve this issue
you need the flag on the host that has program-override(), program-override() will not work if store-legacy-msghdr is enabled, unless the destination template is customized too.
If the client syslog-ng has program-override(), then you need the flag on that host, on its source statement.
I've pushed this to 3.3, which should be backported to 3.3 one day: commit c76483fcd6c033fdf9b46d1c18753d466362ea88 Author: Balazs Scheidler <bazsi@balabit.hu> Date: Mon Aug 22 09:28:48 2011 +0200 program-override(): disable the effect of store-legacy-msghdr flag During 3.1, the flag "store-legacy-msghdr" has become default, which means that the $PROGRAM[$PID] portion of the original syslog message was restored to the same format it was received as, instead of being reconstructed from the parsed values. However, when specifying program-override(), this behaviour was not restored, e.g. even if the value of the $PROGRAM name-value pair has changed, the originally stored format was used in files. This was certainly not very intuitive. This patch changes that, if $PROGRAM is set in any way (e.g. program-override(), rewrite rule, parser) the effect of store-legacy-msghdr is disabled. That can be restored by using an explict $LEGACY_MSGHDR macro in the destination template. Cc: syslog-ng-stable@balabit.hu Signed-off-by: Balazs Scheidler <bazsi@balabit.hu> -- Bazsi