Re: FW: [syslog-ng] syslog-ng 1.6.8 bug: not maintaining priority
-----Original Message-----
From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Evan Rempel Sent: Thursday, September 15, 2005 10:51 AM To: Syslog-ng users' and developers' mailing list Subject: [syslog-ng] syslog-ng 1.6.8 bug: not maintaining priority
If I use the template option for TCP or UDP destinations, the priority of a message is always user.notice.
<snip>
and I got the following in the /var/log/syslog-ng file
Sep 15 10:38:51 cashmere.comp.uvic.ca <http://cashmere.comp.uvic.ca> user notice ftp alert From cashmere.comp.uvic.ca <http://cashmere.comp.uvic.ca>: sysprog: everything is wrong
Notice that the udp sent message contains the original ftp.alert priority, but when the message is received via UDP, the message has priority user.notice.
Am I doing something wrong?
Check out the detailed syslog explanation at: http://www.campin.net/syslog-ng/syslog.html Since your message isn't "<PRI>HEADER MSG" it's being rewriten in accordance with standard syslog practice and RFC3164. I didn't know syslog-ng doesn't put a <PRI> field in the beginning no matter what, but it makes sense that it wouldn't when you're specifying the format yourself. You'll have to add it. Problem is, I don't know that you can. Going by what's on the FAQ: $TAG Hex representaiton of the 32-bit priority/facility pair (see /usr/include/sys/syslog.h) 1f You can't use a hex number there, it needs to be decimal. I don't see a macro that we can use to properly set the decimal <PRI> in the beginning of a templated message. Bazsi, can you shed any light on this? BTW, I think most formatting questions can be answered by people on their own after they read that syslog explanation page.
You can't use a hex number there, it needs to be decimal. I don't see a macro that we can use to properly set the decimal <PRI> in the beginning of a templated message. Bazsi, can you shed any light on this?
I dug into it, and it looks like the PRI macro should work. See news releases below. Try a template like this: destination self { udp("cashmere.comp.uvic.ca <http://cashmere.comp.uvic.ca>" template("<$PRI>$FACILITY $PRIORITY From $HOST: $MESSAGE\n")); News for the 1.6.3 release Thu, 06 May 2004 11:05:46 +0200 * fixed afunix and afinet destination template handling, do not include the PRI value automatically, let the administrator do it explicitly in its template News for the 1.6.1 release Fri, 9 Jan 2004 10:27:38 +0100 * added a new macro named "PRI" which inserts the decimal value of the message priority (pri + level value combined)
Yes, this work as expected. The documentation needs to be updated to include the PRI macro. Thanks for the help. Evan. On Thu, 15 Sep 2005, SheBang wrote:
Date: Thu, 15 Sep 2005 12:14:17 -0700 From: SheBang <infosec@gmail.com> To: syslog-ng@lists.balabit.hu Subject: Re: FW: [syslog-ng] syslog-ng 1.6.8 bug: not maintaining priority
You can't use a hex number there, it needs to be decimal. I don't see a macro that we can use to properly set the decimal <PRI> in the beginning of a templated message. Bazsi, can you shed any light on this?
I dug into it, and it looks like the PRI macro should work. See news releases below.
Try a template like this: destination self { udp("cashmere.comp.uvic.ca <http://cashmere.comp.uvic.ca>" template("<$PRI>$FACILITY $PRIORITY From $HOST: $MESSAGE\n"));
News for the 1.6.3 release Thu, 06 May 2004 11:05:46 +0200
* fixed afunix and afinet destination template handling, do not include the PRI value automatically, let the administrator do it explicitly in its template
News for the 1.6.1 release Fri, 9 Jan 2004 10:27:38 +0100
* added a new macro named "PRI" which inserts the decimal value of the message priority (pri + level value combined)
-- Evan Rempel erempel@uvic.ca Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria
participants (2)
-
Evan Rempel
-
SheBang