[syslog-ng] $MSGONLY bad output
Balazs Scheidler
bazsi at balabit.hu
Wed Oct 1 11:15:30 CEST 2008
On Tue, 2008-09-30 at 17:44 +0200, Steven wrote:
> Thanks for your attention
>
> Syslog-ng receives good data, as it seems (when no modification on output is
> done, all data is written to log file).
>
> If I use
> template t_IIS {
> template("$MESSAGE\n");
> template_escape(no);
> }
>
> Then the output in logfile is :
> IISWebLog 0 2008-09-30 14:02:40 GET (...)
This is not standard syslog format, thus syslog-ng parses the complete
string into the "MESSAGE" part of the syslog (both the IISWebLog header
and the date are part of the message, no date header is present).
MSGONLY in this case assumes that the message is in the format:
program[pid]: payload
Thus it searches for the first colon and expands to "payload". In your
case you cannot use MSGONLY as the message is not in syslog format.
I almost finished syslog-ng OSE 3.0 backports, and that has features
that you could use.
>
> If I use $MSGONLY instead of $MESSAGE then I get :
> 02:40 GET (...)
>
> What I should have is :
> 2008-09-30 14:02:40 GET (...)
>
> Date and hours gets truncated.
--
Bazsi
More information about the syslog-ng
mailing list