Hello all! I've got a bit of a strange problem. I've been developing software (Shameless plug: http://sagan.softwink.com) that does log analysis. This software is mostly used with Syslog-ng and Rsyslog. We recently started testing some log normalization, and I'm seeing different results from syslog-ng's $MSG string and rsyslog %msg%. For example: template("$MSG\n") template-escape(no)); }; --------------- Syslog-ng: template("$MSG\n") template-escape(no)); }; Output: sshd[20657]: Invalid user champtest from 66.177.167.194 --------------- Rsyslog: $template sagan, "%msg%\n" Output: Invalid user champtest from 66.177.167.194 --------------- Whitespacing aside, with syslog-ng I get the program information within the message field. I should point out that most of the systems in the network are Syslog-ng and reporting to Rsyslog (which I can switch out with Syslog-ng for testing). I guess my questions are: 1. Does this sound like a Syslog-ng/Rsyslog interoperability issue? 2. Or do the two just see the "message" formats differently? 3. Maybe it's just my setup (syslog-ng/rsyslog versions)? I have a "work around" with Rsyslog, but was wondering if there where any thoughts on this issue? Thanks -- Champ Clark III | Softwink, Inc | 800-538-9357 x 101 http://www.softwink.com GPG Key ID: 58A2A58F Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F If it wasn't for C, we'd be using BASI, PASAL and OBOL.