On Thu, 2011-01-13 at 12:54 -0500, Champ Clark III [Softwink] wrote:
Hello all!
I've got a bit of a strange problem. I've been developing software (Shameless plug: http://sagan.softwink.com) that does log analysis. This software is mostly used with Syslog-ng and Rsyslog. We recently started testing some log normalization, and I'm seeing different results from syslog-ng's $MSG string and rsyslog %msg%. For example:
template("$MSG\n") template-escape(no)); };
--------------- Syslog-ng: template("$MSG\n") template-escape(no)); };
Output: sshd[20657]: Invalid user champtest from 66.177.167.194
--------------- Rsyslog:
$template sagan, "%msg%\n"
Output: Invalid user champtest from 66.177.167.194 ---------------
You seem to want only the message part of the log entry. With syslog-ng, $MSG contains the program too, and if you want the message part only, you should try $MSGONLY in the template. That should do just what you want. By the way, there's excellent documentation about syslog-ng macros, which explains the difference between $MSG and $MSGONLY at http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid... -- |8]