On Tue, 2009-07-07 at 11:40 -0400, srainville@videotron.ca wrote:

I'm using syslog-ng 3.0.3 to collect and forward some messages to another syslog-ng 3.0.3 server. The messages are in the following format and are received via UDP:

Jul 7 11:26:53 SERVERNAME [aaa][info] xmlfirewall(Testservices): trans(534491553)[request]: Policy(Testpolicy): Message allowed

I use the following destination configuration: destination testserver { udp("testserver" port(514)); };

The messages arrive in this format: Jul 7 11:26:53 SERVERNAME [info] xmlfirewall(Testservices): trans(534491553)[request]: Policy(Testpolicy): Message allowed

It removed the [aaa] from the original message. I tried adding a template to the destination that used $MSG, but it didn't change the output. Is there a way to tell syslog-ng to not modify the original message? I don't recall having this issue with version 2.0.x.

syslog-ng 3.0 parses and rebuilds the program header information by default (in order to properly support the new IETF syslog protocols). The format it understands is date host program[pid]: it has some heuristics, but your [aaa][info] does not match the program[pid] format that syslog-ng expects. You could use the "store-legacy-msghdr" flag in which case you can get the original contents of the message at the price of some performance, and I also planned to tune the parsing heuristics a bit further, but that's always risky business: changing the heuristics to an ambigous message format that has a lot of violating implementations, is well, risky at the very least. For now, please try the store-legacy-msghdr flag and see if that solves your problem. -- Bazsi