[syslog-ng] syslog-ng relay pre-pends headers

Balazs Scheidler bazsi at balabit.hu
Thu Nov 8 08:47:31 CET 2007

On Tue, 2007-11-06 at 10:27 -0500, Mike Fratto wrote:
> Baszi,
> I am inspecting on the relay itself. Pasted below is the sent message
> and the relayed message. The sent message appears to be rfc3164
> formatted already. In the relayed message, syslog-ng pre-pends the
> sent time stamp and the hostname onto the existing message. For
> messages that send raw non rfc-3164 formatted messages, that OK
> (desired in fact), but sources that do send rfc-3164 formatted
> messages, it's redundant. I also pasted my config file at the end.
> I started out wanting syslog-ng to transparently forward messages. So
> is what I am seeing the expected behavior?
> But after looking more deeply at the sources, what I want to do is
> have syslog-ng reformat non-rfc3164 messages to that format (which I
> can do with macros).
> mike
> 10:06:14.322290 IP (tos 0x0, ttl 127, id 29867, offset 0, flags
> [none], proto UDP (17), length 131) >
> SYSLOG, length: 103
>         Facility mail (2), Severity notice (5)
>         Msg: Nov 06 10:11 example.com 10:11:48.866 2
> SMTPI-459393(barracuda.example.com) [10865267] received, 6909 bytes

the problem is that the timestamp is not complete, it does not contain
second information. As it is not properly formatted, syslog-ng assumes
that it's not RFC3164 and takes the complete line as a message.


More information about the syslog-ng mailing list