[syslog-ng]syslog-ng 1.6.0rc1 a bit erratic at kernel logs

[Jason Haar]

Hi there

We've got a central syslog-ng server here with incoming feeds from old
syslog clients (HPUX,Cisco,printers,etc) as well as TCP-based feeds from
syslog-ng clients. In general it all works well.

However, there seems to be a problem with kernel messages on the
localhost. The fact that they are processname=kernel appears to be lost
on syslog-ng - instead of seeing:

server kern info kernel: device eth0 left promiscuous mode

I see

server kern info device eth0 left promiscuous mode

This is with a template of:

template("$R_ISODATE $HOST $FACILITY $PRIORITY $MSG\n")

As it only seems to affect kernel messages on syslog-ng hosts, I think
it's more of a generation problem than a receiving problem.

On all the hosts affected, then source entry is:

source s_local { internal();
                 unix-stream("/dev/log" keep-alive(yes)
max-connections(100));
                 pipe("/proc/kmsg");
                 unix-stream("/var/spool/mysqld/dev/log" keep-alive(yes)
max-con
nections(10));
                unix-stream("/var/log/snort/dev/log" keep-alive(yes)
max-connect
ions(10));
                 tcp(ip("1.2.3.4") port(514) keep-alive(yes)
max-connections(
100)); 
                 tcp(ip("127.0.0.1") port(514) keep-alive(yes)
max-connections(1
00));
                 udp();
};


Any ideas what's wrong/bug?

Thanks for a great product!

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1