[syslog-ng] Parameter MSGONLY in syslog-ng.conf doesn't work properly

Jochen Kirn jochen.kirn at gmail.com
Wed Mar 22 18:10:06 CET 2006 

Hi,

System information where this problem has been discovered:
OS: AIX 5.3
Syslog NG version: 1.6.9
libol: 0.3.17

aixhost53:
<13>Mar 22 10:11:50 src at aixhost53 auth|security:info sshd[454900]:
Connection from 192.168.10.20 port 42498
<13>Mar 22 10:11:50 src at aixhost53 auth|security:info sshd[454900]: Failed
none for root from 192.168.10.20 port 42498 ssh2


As you can see above, the AIX 5.3 system syslogd appends the facility and
priority level to the message. I found no way
to stop AIX's syslogd doing this nasty thing.
Nevertheless when syslog-ng receives this message it is unable to parse the
fields correctly because it reads
eg. "auth|security:info" as program name.

I've spend a quick look at the code, namely 'macros.c' where it reads "colon
= memchr(msg->msg->data, ':', msg->msg->length);"
in line 398
macros.c:
...
        case M_MSGONLY: {
                char *colon;
                int ofs;

                colon = memchr(msg->msg->data, ':', msg->msg->length);

                if (!colon) {
                        ofs = 0;
                }
                else {
                        // origofs = (colon - (char *) msg->msg->data) + 2;
                        ofs = (colon - (char *) msg->msg->data) +6;
                        if (ofs > msg->msg->length)
                                ofs = msg->msg->length;
                }
                length = append_string(dest, left, (char *) msg->msg->data +
ofs, msg->msg->length - ofs, escape);
                break;
        }

...

syslog-ng.conf:
destination tempfile { file("/tmp/syslog-ng.debug"
template("$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC $HOST $MSGONLY\n") template-esc
ape(yes)); };

The syslog-ng.conf destination entry above causes that the message is cut
off at "nfo sshd ...." and thus MSGONLY would read 'nfo sshd[454900]:
Connection from 192.168.10.20 port 42498'
instead of "Connection from 192.168.10.20 port 42498"

@Balazs: could you investigate this, if there is a fix possible for this
"parsing error" ?

thx
Jochen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20060322/0a631e0c/attachment.htm

More information about the syslog-ng mailing list