Hello,
I'm receiving the IIS servers logs through my LAN and syslog-ng writes everything to a local files, that is parsed during the night by awstats.
The only thing is I can't have syslog-ng to write raw logs to files, it absolutely has to write something (either with $MSG or $MESSAGE). I even tried with $MSGONLY but now I get the opposite problem, it truncates data !
Sorry, I don't get you. What is the EXACT problem? Are your clients violate the syslog protocol? If yes then you have to disable log parsing for the source by using flags(no-parse);
$MSG :
IISWebLog 0 2008-09-30 14:02:40 GET /Localized/fr/Images/New2/tlogo.gif - 95.35.41.243 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET +CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;> +InfoPath.2) http://mypublicwebsite/home/regf 200 2185
With $MSGONLY, I'll get :
02:40 GET /Localized/fr/Images/New2/tlogo.gif - 95.35.41.243 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET +CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;> +InfoPath.2) http://mypublicwebsite/home/regf 200 2185
Here is my very simple template :
template t_IIS {
template("$MESSAGE\n");
template_escape(no);
};
Destination and filter :
destination df_ mypublicwebsite _IISWebLog { file("/data/syslog/mypublicwebsite/IISWebLog" template(t_IIS)); };
filter f_ mypublicwebsite _IISWebLog {(host("^192\.168\.117\.131$")
or host("^192\.168\.117\.132$")
or host("^192\.168\.117\.133$")
or host("^192\.168\.117\.134$")
or host("^192\.168\.117\.135$") ) and facility(local4) and program("IISWebLog"); };
easier to use "^192\.168\.117\.13[1-5]$" and it's slightly more efficient Regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.