It's part of the identification when you use the LOG_PID option in openlog(). It's not a required option but nevertheless a proper formated syslog message should contain it.
That's what I meant, it's not always there, but when the program name field is there, often the PID is embedded there as well. Sorry, thought that was clear.
Yes, it's clear.
What is a good reason to have this? If you specify $MSG you will get the programme name and pid logged, provided it was specified in openlog().
Same reason for having the date, or the program name, or any other part of the message available as a macro - so you can format it yourself.
The date is fix, the program name also, they contain real informational value which is why they have macros. A pid has no informational value, since it's volatile (when the process ends, or when pids cycle) and only adds to the complexity of mining your data.
Is that not what you guys were looking for?
No, having a $PID macro is what we're looking for.
Well, here's a head start, it's not much left to implement. I simply don't have time to do it: --- syslog-ng-1.9.5+20051003/src/macros.c 2005-10-03 00:11:46.000000000 +0200 +++ syslog-ng-1.9.5+20051003-ratz/src/macros.c 2005-10-05 23:49:26.996398132 +0200 @@ -99,6 +99,7 @@ { "FULLHOST", M_FULLHOST }, { "PROGRAM", M_PROGRAM }, + { "PID", M_PID }, { "MSG", M_MESSAGE }, { "MSGONLY", M_MSGONLY }, { "MESSAGE", M_MESSAGE }, @@ -366,6 +367,16 @@ } break; } + case M_PID: + { + gchar *bracket; + gint ofs; + + /* here you add your progname[PID] parsing */ + + result_append(result, msg->msg->str + ofs, msg->msg->len - ofs, !!(flags & MF_ESCAPE_RESULT)); + break; + } case M_MESSAGE: /* message */ result_append(result, msg->msg->str, msg->msg->len, !!(flags & MF_ESCAPE_RESULT)); HTH, Roberto Nibali, ratz -- echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc