Earlier I posted a message asking about whether syslog-ng had standard equipment for dealing with a couple of strange message types: 1) Messages forwarded by AIX syslogd which contain the string "Message forwarded from [hostname]: " ... and 2) Messages of the form: "last message repeated _n times" I haven't received any responses. I've read traffic in the mailing list archives (e.g. December 2000) regarding the topic, but I haven't found any solutions. If I've missed something vital, please help me and let me know about it.. I certainly apologize if I haven't been observant enough to skim the answers from the available resources. I've taken a stab at solving the problem myself, and I thought I'd share it with all of you. Those of you who are so much more familiar with the source than I, please comment about whether you find I might have broken other functionality or adversely affected performance. I'm glad for you suggestions, or if this can help somebody else. For my installation, being able to handle AIX messages is particularly important. My solution is just a simple and straightforward refactoring in log.c/parse_log_msg(). A patch against the 1.4.11 source distribution is attached to this message. I've tested it only on AIX, but I think it ought to work elsewhere since it only adds standard library stuff. (Basically, a couple of memcmp's). Some commented-out debugging output (to stderr) is there, too, if you'd want to enable it. I'll describe the intended effects of this patch: 1) Messages forwarded by AIX systems are recognized, and the source hostname is taken from the string appended by AIX syslogd. For example, MMM DD HH:MM:SS Message forwarded from <hostname>: ... will use <hostname> for the source address. "Message" isn't taken as the source host. 2) If the message is forwarded by AIX syslogd but originally of syslog-ng origin, it'll have the form MMM DD HH:MM:SS Message forwarded from <hostname>: source@hostname ... In this case, "source@hostname" will be used as the source hostname (so that syslog-ng's source info is preserved). 3) If the message doesn't contain a hostname because it's of the form MMM DD HH:MM:SS last message repeated *n* times then it won't try to extract one (so it won't improperly use 'last'). The hostname will just come later when in sources.c it's gotten from the message source socket or wherever. 4) If the message is a "last message repeated ..." which was *also* forwarded by an AIX syslogd, it'll get the hostname extracted from AIX's "Message forwarded from ..." message. I'm no expert in the syslog protocol/format, and I can see there is variablilty in implementation. So I'm certain there are plenty of cases that are left unaddressed. If you don't find this patch helpful in general, perhaps its useful for some common cases. One thing that's not addressed: When a "last message repeated ..." line is received, it's certainly helpful to know *which* was the last line-- the one that got repeated. If you're outputting to files by PROGRAM, then no program name is inherently available from this kind of message itself. And syslog-ng isn't keeping track of what PROGRAM logged last from a particular source host. So these "last message repeated ..." messages won't fall into the same logs as the lines for the PROGRAMs which produced the repeated messages. No simple solution is readily apparent to me... Also, please note that "keep_hostname(yes)" is important, otherwise the AIX sender of forwarded messages is used anyway-- despite that the real origin is available. If you use chain_hostnames(yes), then this info ought to be preserved anyway. Again, please comment and critique! Thanks very much. -- Jonathan Marks Systems Administrator, Production Systems Group Computing and Communication Services Office University of Illinois at Urbana-Champaign