Hi. I'am trying to understand why syslog-ng and an header (timestamp host) to log as the rfc specify another header. Someone can explain me the reason plz ? Regards Florian
Hi Florian, Can you be a bit more specific, please? Sorry, but I don't understand it. Is syslog-ng storing your log in a different format than RFC5424? Regards, Gabor ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Florian Goulais <goulais.florian@gmail.com> Sent: Friday, July 19, 2019 11:36 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Syslog-ng header & rfc5424 CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. Hi. I'am trying to understand why syslog-ng and an header (timestamp host) to log as the rfc specify another header. Someone can explain me the reason plz ? Regards Florian
If you send text to udp 514 port, syslog Will and a prefix: <timestamp> <host> The rfc5424 say that syslog header must start with PRI : < prival > Then version : <VERSION> And eventauly hostname: <hostname> The pri is a number that indicate severity and facility. Le ven. 19 juil. 2019 à 12:38, Gabor Nagy (gnagy) < Gabor.Nagy@oneidentity.com> a écrit :
Hi Florian,
Can you be a bit more specific, please? Sorry, but I don't understand it.
Is syslog-ng storing your log in a different format than RFC5424?
Regards, Gabor
------------------------------ *From:* syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Florian Goulais <goulais.florian@gmail.com> *Sent:* Friday, July 19, 2019 11:36 *To:* syslog-ng@lists.balabit.hu *Subject:* [syslog-ng] Syslog-ng header & rfc5424
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
Hi. I'am trying to understand why syslog-ng and an header (timestamp host) to log as the rfc specify another header. Someone can explain me the reason plz ? Regards Florian
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
I just try to understand why syslog add a non standardized header. Le ven. 19 juil. 2019 à 13:44, Florian Goulais <goulais.florian@gmail.com> a écrit :
If you send text to udp 514 port, syslog Will and a prefix: <timestamp> <host> The rfc5424 say that syslog header must start with PRI : < prival > Then version : <VERSION> And eventauly hostname: <hostname> The pri is a number that indicate severity and facility.
Le ven. 19 juil. 2019 à 12:38, Gabor Nagy (gnagy) < Gabor.Nagy@oneidentity.com> a écrit :
Hi Florian,
Can you be a bit more specific, please? Sorry, but I don't understand it.
Is syslog-ng storing your log in a different format than RFC5424?
Regards, Gabor
------------------------------ *From:* syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Florian Goulais <goulais.florian@gmail.com> *Sent:* Friday, July 19, 2019 11:36 *To:* syslog-ng@lists.balabit.hu *Subject:* [syslog-ng] Syslog-ng header & rfc5424
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
Hi. I'am trying to understand why syslog-ng and an header (timestamp host) to log as the rfc specify another header. Someone can explain me the reason plz ? Regards Florian
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On Fri, Jul 19, 2019 at 01:58:36PM +0200, Florian Goulais wrote:
I just try to understand why syslog add a non standardized header.
syslog-ng doesn't "add" anything. What it does is parse input, and forma the message object depending on the input and output drivers. If you use the syslog() input, it tries to parse rfc3164/rfc5424. If you use the file() output, it formats using time, host, program, message. If you want to track everything unparsed, use flags(no-parse) in the input, and template("$MSG") in the output.
Hi again. I just tried to send the example of syslog message in your administration guide and I've got the same effect : Reformatting the message. I've no "no-parse" I'm my config file, but syslog-ng drop pri, and the pseudo header(time&host) and put everything into $MSG. Any idea ? Le ven. 19 juil. 2019 à 14:15, Fabien Wernli <wernli@in2p3.fr> a écrit :
On Fri, Jul 19, 2019 at 01:58:36PM +0200, Florian Goulais wrote:
I just try to understand why syslog add a non standardized header.
syslog-ng doesn't "add" anything. What it does is parse input, and forma the message object depending on the input and output drivers.
If you use the syslog() input, it tries to parse rfc3164/rfc5424. If you use the file() output, it formats using time, host, program, message.
If you want to track everything unparsed, use flags(no-parse) in the input, and template("$MSG") in the output.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, On Fri, Jul 19, 2019 at 02:48:42PM +0200, Florian Goulais wrote:
Any idea ?
Any idea on what? That syslog-ng parses the message because it's what it does if you don't tell it not to (hence flags(no-parse))? Could you please step back, and explain what you're trying to achieve here?
participants (3)
-
Fabien Wernli
-
Florian Goulais
-
Gabor Nagy (gnagy)