[syslog-ng] $MSGONLY bad output

Steven steven at action-marketing.fr
Tue Sep 30 17:19:00 CEST 2008 

Hi there, 

 

As I can't find this on the web, I'm asking here :

 

I'm receiving the IIS servers logs through my LAN and syslog-ng writes
everything to a local files, that is parsed during the night by awstats.

The only thing is I can't have syslog-ng to write raw logs to files, it
absolutely has to write something (either with $MSG or $MESSAGE). I even
tried with $MSGONLY but now I get the opposite problem, it truncates data !

 

$MSG :

 

IISWebLog       0       2008-09-30 14:02:40 GET
/Localized/fr/Images/New2/tlogo.gif - 95.35.41.243 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727
;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;+InfoPath.2)
http://mypublicwebsite/home/regf 200 2185

 

With $MSGONLY, I'll get :

 

02:40 GET /Localized/fr/Images/New2/tlogo.gif - 95.35.41.243 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727
;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;+InfoPath.2)
http://mypublicwebsite/home/regf 200 2185

 

Here is my very simple template :

 

template t_IIS {

        template("$MESSAGE\n");

        template_escape(no);

};

 

Destination and filter :

destination df_ mypublicwebsite _IISWebLog {
file("/data/syslog/mypublicwebsite/IISWebLog" template(t_IIS)); };

 

filter f_ mypublicwebsite _IISWebLog {(host("^192\.168\.117\.131$")

                                or host("^192\.168\.117\.132$")

                                or host("^192\.168\.117\.133$")

                                or  host("^192\.168\.117\.134$")

                                or  host("^192\.168\.117\.135$")  ) and
facility(local4) and program("IISWebLog"); };

 

log { source(s_net); filter(f_ mypublicwebsite _IISWebLog); destination(df_
mypublicwebsite _IISWebLog); };

 

# uname -a

Linux TR-ADM 2.6.18-4-amd64 #1 SMP Fri May 4 00:37:33 UTC 2007 x86_64
GNU/Linux

 

Anything I'm missing ? Any help would be greatly appreciated.

Best regards

 

Steven

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20080930/9522990c/attachment.htm

More information about the syslog-ng mailing list