On Mon, 2009-12-14 at 08:21 -0800, Larry Low wrote:
On Fri, 2009-12-11 at 12:12 -0800, Larry Low wrote:
In the past I used the MSG macro to get the full syslog message. Now MSG is broken into MSG and MSGHDR.
If a message comes in without a program name such as "exiting on signal 15" or "last message repeated 20 times", syslog-ng incorrectly takes the first word as the program name. Trying to rebuild it with $MSGHDR$MSG causes an erroneous : to be placed on these messages since $MSGHDR is filled in with "exiting" and "last".
I found a previous post and tried adding store-legacy-msghdr. The problem now is that MSGHDR still includes the first word such as "exiting" and "last" but no colon but on messages like "kernel : Kernel logging (proc) stopped.", "kernel: " is put in MSGHDR but then also placed in MSG and MSGONLY.
Noticed one more thing, if the PID is included in the syslog message then MSG and MSGONLY do not repeat process and pid when store-legacy- msghdr on.
if you enable 'store-legacy-msghdr' syslog-ng will not try hard to properly parse program/pid information from the incoming message, rather it simply stores all the characters up to the first space/colon character in MSGHDR.
But still $MSG will _not_ contain any of that. In order to get the full message you need to use
$MSGHDR$MSG
Yes but does not work when parsing "program: ". When this happens both MSGHDR and MSG include "program: ". Both "program " and "program[pid]: ", however, do get placed in MSGHDR and not repeated in MSG.
I really try to understand, but I can't. Can you please post an example log message, how you feel it should be processed and why syslog-ng doesn't do the right thing? Thanks. -- Bazsi