[syslog-ng] Syslog-NG 3.0.5 incorrectly parsing messages without program names
Balazs Scheidler
bazsi at balabit.hu
Mon Dec 14 15:26:37 CET 2009
On Fri, 2009-12-11 at 12:12 -0800, Larry Low wrote:
> > > In the past I used the MSG macro to get the full syslog message. Now
> > > MSG is broken into MSG and MSGHDR.
> > >
> > > If a message comes in without a program name such as "exiting on
> > signal
> > > 15" or "last message repeated 20 times", syslog-ng incorrectly takes
> > > the first word as the program name. Trying to rebuild it with
> > > $MSGHDR$MSG causes an erroneous : to be placed on these messages
> > since
> > > $MSGHDR is filled in with "exiting" and "last".
> >
> > I found a previous post and tried adding store-legacy-msghdr. The
> > problem now is that MSGHDR still includes the first word such as
> > "exiting" and "last" but no colon but on messages like "kernel : Kernel
> > logging (proc) stopped.", "kernel: " is put in MSGHDR but then also
> > placed in MSG and MSGONLY.
>
> Noticed one more thing, if the PID is included in the syslog message then MSG and MSGONLY do not repeat process and pid when store-legacy-msghdr on.
if you enable 'store-legacy-msghdr' syslog-ng will not try hard to
properly parse program/pid information from the incoming message, rather
it simply stores all the characters up to the first space/colon
character in MSGHDR.
But still $MSG will _not_ contain any of that. In order to get the full
message you need to use
$MSGHDR$MSG
in your template (which of course the default contains).
This whole stuff was needed to be able to convert old-style (RFC3164)
syslog to new style (RFC5424) in which case both the program name and
the PID become separate fields in the syslog header.
--
Bazsi
More information about the syslog-ng
mailing list