On Mon, 10 May 2010 17:56:48 +0200, Balazs Scheidler <bazsi@balabit.hu> wrote:
So my questions are:
1. Why is the $DAY macro not RFC3164-compliant? Is that a design choice? Was it simply never meant to be?
well, I'd say I haven't thought about this implication. The primary use for macros was in filenames (e.g. /var/log/messages.$YEAR.$MONTH.$DAY) in which case space would be a problem. I never wanted to handcraft BSD-like dates before using macros, nor have received such a report.
That makes sense. I do understand how most people would want to use this in a filename, and how a space would be a problem. My use case doesn't seem to be the norm.
Why is that necessary? You want to rewrite the date portion of a syslog message?
Yes. My intent is to make the original non RFC-compliant message, compliant. It has all of the component parts. I could use the syslog-ng functionality to date-stamp it, but I would prefer to keep the original date/time.
Anything in syslog-ng (filter, parser, rewrite, destination, but also sources) are "pipes" that get connected during configuration initialization.
That's good to know. I did get things working by playing around with the order of things in the config. I also changed "${PARSER.DD}" to "PARSER.DD" as I think I had that wrong. Also, just a quick note to say thanks for the excellent software and the quick response to my queries.