[syslog-ng] priority and facility gone when using template for
remote logging
Wolfram Schlich
lists at wolfram.schlich.org
Wed Jun 21 14:27:39 CEST 2006
* Balazs Scheidler <bazsi at balabit.hu> [2006-06-21 13:12]:
> On Wed, 2006-06-21 at 03:08 +0200, Wolfram Schlich wrote:
> > On the logserver the priority.facility of all incoming log messages
> > was "user.notice" instead of the original value.
> >
> > I used this on the logclient:
> >
> > template t_remote_s { template("${DATE} ${HOST} ${MSG}\n"); template_escape(no); };
> > destination d_remote { udp("syslog.mydomain.tld" port(514) template(t_remote_s)); };
> > log { source(s_local); source(s_kernel); destination(d_remote); };
> >
> > When *not* using a template for the remote destination, everything
> > works as expected, priority.facility is back with good values.
> >
> > Any idea why this happens?
>
> You have overwritten the record format, so it does not contain the
> pri/fac information anymore. You need something like:
>
> template t_remote_s { template("<${PRI}>${DATE} ${HOST} ${MSG}\n"); template_escape(no); };
Ah, this is the syslog remote logging protocol format?
Why is there only PRI inside <>? What about the facility?
Is it <FAC.PRI>?
TIA :-)
--
Wolfram Schlich
More information about the syslog-ng
mailing list