Im trying to normalize the logs from my various systems I support (Solaris, IRIX, Tru64, SLES 8 & 9, RHAS 3, Cisco, Brocade, etc...) These logs are processed and stored into oracle. On Solaris, syslogd adds a field containing the syslog message ID and the facility and priority: EX: Jan 20 22:07:26 back-0202 tldd[3184]: [ID 817171 daemon.notice] Calling the drive_mount_notify ^^^^^^^^^^^^^^^^^^^^^^^^^ This behavior can only be changed by a reboot and sun also does not recommend setting msgid=0 in /kernerl/drv/log.conf. So, using the following template I can come close to normalizing this behavior: template("$DATE $HOST $PROGRAM [ID $FACILITY.$LEVEL] $MSG\n") The information that is lost is the internal syslog ID and the pid of the sending process. Here is a log entry processed thru this template: Feb 14 07:07:52 db-0201 su [ID auth.info] su: [ID 366847 auth.info] 'su oracle' succeeded for root on /dev/??? Another problem is that field in question now appears twice. Anyone know of any possible way to configure syslog-ng to solves this roadblock? Thx, CC
On Mon, Feb 14, 2005 at 07:13:01AM -0800, Rhugga wrote:
On Solaris, syslogd adds a field containing the syslog message ID and the facility and priority:
EX: Jan 20 22:07:26 back-0202 tldd[3184]: [ID 817171 daemon.notice] Calling the drive_mount_notify ^^^^^^^^^^^^^^^^^^^^^^^^^
This behavior can only be changed by a reboot and sun also does not recommend setting msgid=0 in /kernerl/drv/log.conf.
So, using the following template I can come close to normalizing this behavior: template("$DATE $HOST $PROGRAM [ID $FACILITY.$LEVEL] $MSG\n")
The information that is lost is the internal syslog ID and the pid of the sending process. Here is a log entry processed thru this template:
There's a macro for the message that doesn't include the program name, search the archives for what it is (I forget). As for that number after the ID, it's not the PID of the sending process, it's the message ID, so go ahead and turn off message IDs if you don't want them. I must say that I've never turned them off so I don't know what the format is, but IIRC it'll look more like what you want. See http://smarden.org/socklog/readme.solaris.html for a good background on solaris syslog. -- Nate "Facts, or what a man believes to be facts, are always delightful. . . . Get your facts first, and . . . then you can distort `em as much as you please." - quoted in Rudyard Kipling's From Sea to Sea - Samuel Clemens
I'm referring to the $PROGRAM macro, it doesn't contain the pid. In the example I provided the pid would be 3184 and the process wold be tldd. The syslog message ID is the other piece of info I'm referring to. Jan 20 22:07:26 back-0202 tldd[3184]: [ID 817171 daemon.notice] Calling the drive_mount_notify ^^^^^pid^^ ^^syslog id ^^^^^^^^^^^ IMHO the pid of the sending process is one of the single most important pieces of info in a log message so why isn't it available as a macro or any other facet... thx, cc --- Nate Campi <nate@campin.net> wrote:
On Mon, Feb 14, 2005 at 07:13:01AM -0800, Rhugga wrote:
On Solaris, syslogd adds a field containing the syslog message ID and the facility and
priority:
EX: Jan 20 22:07:26 back-0202 tldd[3184]: [ID 817171 daemon.notice] Calling the drive_mount_notify ^^^^^^^^^^^^^^^^^^^^^^^^^
This behavior can only be changed by a reboot and sun also does not recommend setting msgid=0
in
/kernerl/drv/log.conf.
So, using the following template I can come close to normalizing this behavior: template("$DATE $HOST $PROGRAM [ID $FACILITY.$LEVEL] $MSG\n")
The information that is lost is the internal syslog ID and the pid of the sending process. Here is a log entry processed thru this template:
There's a macro for the message that doesn't include the program name, search the archives for what it is (I forget). As for that number after the ID, it's not the PID of the sending process, it's the message ID, so go ahead and turn off message IDs if you don't want them. I must say that I've never turned them off so I don't know what the format is, but IIRC it'll look more like what you want.
See http://smarden.org/socklog/readme.solaris.html for a good background on solaris syslog. -- Nate
"Facts, or what a man believes to be facts, are always delightful. . . . Get your facts first, and . . . then you can distort `em as much as you please." - quoted in Rudyard Kipling's From Sea to Sea - Samuel Clemens
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
participants (2)
-
Nate Campi
-
Rhugga