[syslog-ng]Message Templates and Syslog ID
Rhugga
syslog-ng@lists.balabit.hu
Mon, 14 Feb 2005 07:13:01 -0800 (PST)
Im trying to normalize the logs from my various systems I support (Solaris, IRIX, Tru64, SLES 8 &
9, RHAS 3, Cisco, Brocade, etc...) These logs are processed and stored into oracle.
On Solaris, syslogd adds a field containing the syslog message ID and the facility and priority:
EX:
Jan 20 22:07:26 back-0202 tldd[3184]: [ID 817171 daemon.notice] Calling the drive_mount_notify
^^^^^^^^^^^^^^^^^^^^^^^^^
This behavior can only be changed by a reboot and sun also does not recommend setting msgid=0 in
/kernerl/drv/log.conf.
So, using the following template I can come close to normalizing this behavior:
template("$DATE $HOST $PROGRAM [ID $FACILITY.$LEVEL] $MSG\n")
The information that is lost is the internal syslog ID and the pid of the sending process. Here is
a log entry processed thru this template:
Feb 14 07:07:52 db-0201 su [ID auth.info] su: [ID 366847 auth.info] 'su oracle' succeeded for root
on /dev/???
Another problem is that field in question now appears twice.
Anyone know of any possible way to configure syslog-ng to solves this roadblock?
Thx,
CC