[syslog-ng]Message Templates and Syslog ID

Rhugga syslog-ng@lists.balabit.hu
Wed, 16 Feb 2005 02:40:34 -0800 (PST) 

I'm referring to the $PROGRAM macro, it doesn't contain the pid. In the example I provided the pid
would be 3184 and the process wold be tldd. The syslog message ID is the other piece of info I'm
referring to.

Jan 20 22:07:26 back-0202 tldd[3184]: [ID 817171 daemon.notice] Calling the drive_mount_notify
                          ^^^^^pid^^   ^^syslog id ^^^^^^^^^^^

IMHO the pid of the sending process is one of the single most important pieces of info in a log
message so why isn't it available as a macro or any other facet...

thx,
cc
--- Nate Campi <nate@campin.net> wrote:

> On Mon, Feb 14, 2005 at 07:13:01AM -0800, Rhugga wrote:
> > 
> > On Solaris, syslogd adds a field containing the syslog message ID and the facility and
> priority:
> > 
> > EX:
> > Jan 20 22:07:26 back-0202 tldd[3184]: [ID 817171 daemon.notice] Calling the drive_mount_notify
> >                                       ^^^^^^^^^^^^^^^^^^^^^^^^^
> > 
> > This behavior can only be changed by a reboot and sun also does not recommend setting msgid=0
> in
> > /kernerl/drv/log.conf.
> >
> > So, using the following template I can come close to normalizing this behavior:
> > template("$DATE $HOST $PROGRAM [ID $FACILITY.$LEVEL] $MSG\n")
> > 
> > The information that is lost is the internal syslog ID and the pid of the sending process.
> Here is
> > a log entry processed thru this template:
> 
> There's a macro for the message that doesn't include the program name,
> search the archives for what it is (I forget). As for that number after
> the ID, it's not the PID of the sending process, it's the message ID, so
> go ahead and turn off message IDs if you don't want them. I must say
> that I've never turned them off so I don't know what the format is, but
> IIRC it'll look more like what you want.
> 
> See http://smarden.org/socklog/readme.solaris.html for a good background
> on solaris syslog.
> -- 
> Nate
> 
> "Facts, or what a man believes to be facts, are always delightful. . . . 
> Get your facts first, and . . . then you can distort `em as much as you 
> please." - quoted in Rudyard Kipling's From Sea to Sea - Samuel Clemens
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 
>