Matt Mencel on Tue, Dec 19, 2000 at 08:55:23AM -0600: Hi,
Dec 19 08:22:28 otherserver root: www.somewebpage.com 123.123.123.123 - - [19/Dec/2000:08:22:28 -0600] "GET /index.html HTTP/1.1" 200 2026 http://www.somewebpage.com/ "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
I don't think you can fix this on the syslog-ng side. I have two ideas: 1. use a program() destination: destination d_ftplog { program("sed -e 's/^\([A-Za-z0-9:]* \)\{5\}//' > my_logfile"); } This is untested and will put some extra load on your log-box ... 2. tweak your analysis software to ignore the other fields. Shouldn't be too hard, especially if it's perl, and you wont have much extra load, since the tool needs to parse the whole string somewhere anyways. Hope this helps, Gregor. -- Gregor Binder <gbinder@sysfive.com> http://www.sysfive.com/~gbinder/ sysfive.com GmbH UNIX. Networking. Security. Applications. Gaertnerstrasse 125b, 20253 Hamburg, Germany TEL +49-40-63647482