[syslog-ng] Removing Prefixes from Syslog-ng Messages

adam.j.brendamour at accenture.com adam.j.brendamour at accenture.com
Wed Apr 22 18:08:12 CEST 2009 

I am using the syslog() drivers to send and receive messages.  The
original message polled from a file log is: 
[16/Apr/2009:09:31:02 -0700] "GET / HTTP/1.1" 302 427 "-" "-"

Syslog-ng then sends the message to the relay server, adding the header
to the original message:
16 09:31:07 hostname IP - -

The syslog-ng relay collects the messages and forwards them on to
another source and the header gets changed to this:
Apr 16 09:31:07 relay_IP 125 <0>1 2009-04-16T09:31:02-07:00 hostname - -
- - IP - -

I am using the syslog() drivers across the board on the client and
relay.  Unfortunately, through testing and research, I have not found a
way to stop these headers from being created at the beginning of the
syslog messages.

Regards,
Adam
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Balazs
Scheidler
Sent: Wednesday, April 22, 2009 6:24 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Removing Prefixes from Syslog-ng Messages

On Thu, 2009-04-16 at 11:39 -0500, adam.j.brendamour at accenture.com
wrote:
> Hello all,
> 
>  
> 
> I am having issues with syslog-ng adding prefixes to my messages.  I
> currently have a syslog-ng agent sending messages from a log source to
> a syslog-ng central server.  I am then sending the messages from the
> central server to a 3rd party event management program.  Is there a
> way to forward an unchanged syslog-ng message from the relay server?
> 
>  
> 
> For example:
> 
> Message arriving from source:   
> 
> Apr 16 09:31:07 psrdev47 10.56.9.12 - - [16/Apr/2009:09:31:02 -0700]
> "GET / HTTP/1.1" 302 427 "-" "-"
> 
> Message being forwarded from server:  
> 
> Apr 16 09:31:07 10.56.2.77 125 <0>1 2009-04-16T09:31:02-07:00 psrdev47
> - - - - 10.56.9.12 - - [16/Apr/2009:09:31:02 -0700] "GET / HTTP/1.1"
> 302 427 "-" "-"
> 
>  

you should use the syslog() driver to receive messages formatted to the
new IETF protocol standard.


-- 
Bazsi


________________________________________________________________________
______
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html




This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information.  If you have received it in error, please notify the sender immediately and delete the original.  Any other use of the email by you is prohibited.

More information about the syslog-ng mailing list