[syslog-ng]Getting Logs in Triplicate
Rhugga
syslog-ng@lists.balabit.hu
Thu, 20 Jan 2005 06:01:20 -0800 (PST)
I notice that logs from Solaris clients are different than those from Linux:
Jan 20 05:46:34 syslog syslog-ng[16592]: STATS: dropped 0
Jan 20 05:46:43 ssh-gateway sshd(pam_unix)[4416]: session closed for user logadm
Jan 20 05:48:48 db-0201 su: [ID 366847 auth.info] 'su oracle' succeeded for root on /dev/???
In this sampling db-0201 is a Solaris 9 box, syslog is a SLES9 box, and ssh-gateway is a RH9 box.
I noticed that the solaris log entry has [ID 366847 auth.info] whereas the linux entry has
syslog-ng[16592]. I'm trying to parse these files and store in a database but don't see what
exactly these fields are or what is generating them. I am assuming syslog-ng is adding this field
since the copy of the log entry in the local /var/adm/messages file does not contain this. So my
question is why is it different for Solaris and Linux and can this behavior be changed? The log
entry from the Linux box appears to contain the pid appended to the daemon name but the solaris
entry lookgs like some kind of internal syslog-ng message id.
What is the breakdown of the fields in a syslog-ng log entry?
Is this correct?
field 1: <timesamp>
field 2: <hostname>
field 3: <daemon generating log entry>
field 4: ? <unknown>
field 5: <log content>
Thx
CC
=====
Chuck Carson - Sr. Systems Engineer
Syrrx, Inc. - www.syrrx.com
10410 Science Center Drive
San Diego, CA 92121
Work: 858.622.8528
Fax: 858.550.0526