[syslog-ng] $MSGONLY bad output

Geller, Sandor (IT) Sandor.Geller at morganstanley.com
Tue Sep 30 17:33:56 CEST 2008


Hello,

> I'm receiving the IIS servers logs through my LAN and
> syslog-ng writes everything to a local files, that is parsed
> during the night by awstats.
>
> The only thing is I can't have syslog-ng to write raw logs to
> files, it absolutely has to write something (either with $MSG
> or $MESSAGE). I even tried with $MSGONLY but now I get the
> opposite problem, it truncates data !

Sorry, I don't get you. What is the EXACT problem? Are your
clients violate the syslog protocol? If yes then you have to
disable log parsing for the source by using flags(no-parse);

> $MSG :
>
>
>
> IISWebLog       0       2008-09-30 14:02:40 GET
> /Localized/fr/Images/New2/tlogo.gif - 95.35.41.243 HTTP/1.1
> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET
+CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;> +InfoPath.2) http://mypublicwebsite/home/regf 200 2185
>
>
>
> With $MSGONLY, I'll get :
>
>
>
> 02:40 GET /Localized/fr/Images/New2/tlogo.gif - 95.35.41.243
> HTTP/1.1
> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET
+CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;> +InfoPath.2) http://mypublicwebsite/home/regf 200 2185
>
>
>
> Here is my very simple template :
>
>
>
> template t_IIS {
>
>         template("$MESSAGE\n");
>
>         template_escape(no);
>
> };
>
>
>
> Destination and filter :
>
> destination df_ mypublicwebsite _IISWebLog {
> file("/data/syslog/mypublicwebsite/IISWebLog" template(t_IIS)); };
>
>
>
> filter f_ mypublicwebsite _IISWebLog {(host("^192\.168\.117\.131$")
>
>                                 or host("^192\.168\.117\.132$")
>
>                                 or host("^192\.168\.117\.133$")
>
>                                 or  host("^192\.168\.117\.134$")
>
>                                 or
> host("^192\.168\.117\.135$")  ) and facility(local4) and
> program("IISWebLog"); };

easier to use "^192\.168\.117\.13[1-5]$" and it's slightly more
efficient

Regards,

Sandor
--------------------------------------------------------

NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.


More information about the syslog-ng mailing list