Dear syslog-ng folks, I am the maintainer of sshguard, see http://www.sshguard.net . Sshguard can be interfaced with syslog-ng. Multiple users of syslog-ng recently reported that switching to 3.x required a configuration change for preserving the original logging format, see https://sourceforge.net/mailarchive/forum.php?thread_name=EE040D72-0185-41EB... https://sourceforge.net/mailarchive/forum.php?thread_name=DA2160C1-09A0-475D... We reflected the reports by updating the setup docs to contain a block for the 2.x version and one for 3.x , see http://www.sshguard.net/docs/setup/getlogs/syslog-ng/ However, this change is not apparent in your documentation or changelogs, and other users reported that with even more recent versions, the "old format" is again the correct one. Can you clarify what is the intended template for producing entry tags of the classic format "Jan 21 12:54:09 examplehost proftpd[18965]: applmsg" in the different versions? thanks
On Fri, 2010-01-22 at 09:43 +0100, Mij wrote:
Dear syslog-ng folks,
I am the maintainer of sshguard, see http://www.sshguard.net . Sshguard can be interfaced with syslog-ng. Multiple users of syslog-ng recently reported that switching to 3.x required a configuration change for preserving the original logging format, see
https://sourceforge.net/mailarchive/forum.php?thread_name=EE040D72-0185-41EB... https://sourceforge.net/mailarchive/forum.php?thread_name=DA2160C1-09A0-475D...
We reflected the reports by updating the setup docs to contain a block for the 2.x version and one for 3.x , see
http://www.sshguard.net/docs/setup/getlogs/syslog-ng/
However, this change is not apparent in your documentation or changelogs, and other users reported that with even more recent versions, the "old format" is again the correct one.
syslog-ng can operate in both 2.x compatible mode and 3.x compatible mode. The '@version' header in the syslog-ng configuration file controls which one is used. If someone has no version header, syslog-ng assumes it wants syslog-ng 2.x compatibility. There was no macro related changes in the 3.0 series and still the format with the MSGHDR is the correct one.
Can you clarify what is the intended template for producing entry tags of the classic format "Jan 21 12:54:09 examplehost proftpd[18965]: applmsg" in the different versions?
Can you show the user posting that states MSGHDR is the wrong approach to do? I might be able to help troubleshooting it. -- Bazsi
On Jan 22, 2010, at 11:25 , Balazs Scheidler wrote:
Can you clarify what is the intended template for producing entry tags of the classic format "Jan 21 12:54:09 examplehost proftpd[18965]: applmsg" in the different versions?
Can you show the user posting that states MSGHDR is the wrong approach to do? I might be able to help troubleshooting it.
sure. Confront: http://sourceforge.net/mailarchive/forum.php?thread_name=EE040D72-0185-41EB-... http://sourceforge.net/mailarchive/forum.php?thread_name=DA2160C1-09A0-475D-... with: http://sourceforge.net/mailarchive/forum.php?thread_name=C5633AC6-CD8F-451F-... http://sourceforge.net/mailarchive/forum.php?thread_name=8cb75a4a1001210418g... Notice the double "proftpd[25517]: proftpd[25517]:" occurrence when prepending $MSGHDR .
On Fri, 2010-01-22 at 16:35 +0100, Mij wrote:
On Jan 22, 2010, at 11:25 , Balazs Scheidler wrote:
Can you clarify what is the intended template for producing entry tags of the classic format "Jan 21 12:54:09 examplehost proftpd[18965]: applmsg" in the different versions?
Can you show the user posting that states MSGHDR is the wrong approach to do? I might be able to help troubleshooting it.
sure. Confront:
http://sourceforge.net/mailarchive/forum.php?thread_name=EE040D72-0185-41EB-... http://sourceforge.net/mailarchive/forum.php?thread_name=DA2160C1-09A0-475D-...
with:
http://sourceforge.net/mailarchive/forum.php?thread_name=C5633AC6-CD8F-451F-... http://sourceforge.net/mailarchive/forum.php?thread_name=8cb75a4a1001210418g...
Notice the double "proftpd[25517]: proftpd[25517]:" occurrence when prepending $MSGHDR .
I can't post there via the webpage, but the problem is most probably a missing "@version: 3.0" line in the configuration. without that syslog-ng 3.0 is operating in 2.x compatible mode. However the posts there didn't include a complete configuration file, but I guess this is the root cause of the problem. Also, the missing @version directive is logged as a warning at syslog-ng startup. -- Bazsi
participants (2)
-
Balazs Scheidler
-
Mij