[syslog-ng] $MSGONLY bad output
Steven
steven at action-marketing.fr
Wed Oct 1 12:47:20 CEST 2008
Ok, good news then. In the meantime I use $MESSAGE and "cut -c13-5010" does
the trick.
Regards
Steven
-----Message d'origine-----
De : syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] De la part de Balazs Scheidler
Envoyé : mercredi 1 octobre 2008 11:16
À : Syslog-ng users' and developers' mailing list
Objet : Re: [syslog-ng] $MSGONLY bad output
On Tue, 2008-09-30 at 17:44 +0200, Steven wrote:
> Thanks for your attention
>
> Syslog-ng receives good data, as it seems (when no modification on output
is
> done, all data is written to log file).
>
> If I use
> template t_IIS {
> template("$MESSAGE\n");
> template_escape(no);
> }
>
> Then the output in logfile is :
> IISWebLog 0 2008-09-30 14:02:40 GET (...)
This is not standard syslog format, thus syslog-ng parses the complete
string into the "MESSAGE" part of the syslog (both the IISWebLog header
and the date are part of the message, no date header is present).
MSGONLY in this case assumes that the message is in the format:
program[pid]: payload
Thus it searches for the first colon and expands to "payload". In your
case you cannot use MSGONLY as the message is not in syslog format.
I almost finished syslog-ng OSE 3.0 backports, and that has features
that you could use.
>
> If I use $MSGONLY instead of $MESSAGE then I get :
> 02:40 GET (...)
>
> What I should have is :
> 2008-09-30 14:02:40 GET (...)
>
> Date and hours gets truncated.
--
Bazsi
____________________________________________________________________________
__
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
More information about the syslog-ng
mailing list