[syslog-ng] Syslog-NG 3.0.5 incorrectly parsing messages without program names
Larry Low
llow at telesphere.com
Tue Dec 15 17:06:32 CET 2009
> On Mon, 2009-12-14 at 08:21 -0800, Larry Low wrote:
> > > On Fri, 2009-12-11 at 12:12 -0800, Larry Low wrote:
> > > > > > In the past I used the MSG macro to get the full syslog
> message.
> > > Now
> > > > > > MSG is broken into MSG and MSGHDR.
> > > > > >
> > > > > > If a message comes in without a program name such as "exiting
> on
> > > > > signal
> > > > > > 15" or "last message repeated 20 times", syslog-ng
> incorrectly
> > > takes
> > > > > > the first word as the program name. Trying to rebuild it
> with
> > > > > > $MSGHDR$MSG causes an erroneous : to be placed on these
> messages
> > > > > since
> > > > > > $MSGHDR is filled in with "exiting" and "last".
> > > > >
> > > > > I found a previous post and tried adding store-legacy-msghdr.
> The
> > > > > problem now is that MSGHDR still includes the first word such
> as
> > > > > "exiting" and "last" but no colon but on messages like "kernel
> :
> > > Kernel
> > > > > logging (proc) stopped.", "kernel: " is put in MSGHDR but then
> also
> > > > > placed in MSG and MSGONLY.
> > > >
> > > > Noticed one more thing, if the PID is included in the syslog
> message
> > > then MSG and MSGONLY do not repeat process and pid when store-
> legacy-
> > > msghdr on.
> > >
> > > if you enable 'store-legacy-msghdr' syslog-ng will not try hard to
> > > properly parse program/pid information from the incoming message,
> > > rather
> > > it simply stores all the characters up to the first space/colon
> > > character in MSGHDR.
> > >
> > > But still $MSG will _not_ contain any of that. In order to get the
> full
> > > message you need to use
> > >
> > > $MSGHDR$MSG
> > >
> > Yes but does not work when parsing "program: ". When this happens
> both MSGHDR and MSG include "program: ". Both "program " and
> "program[pid]: ", however, do get placed in MSGHDR and not repeated in
> MSG.
>
> I really try to understand, but I can't. Can you please post an example
> log message, how you feel it should be processed and why syslog-ng
> doesn't do the right thing?
>
> Thanks.
>
With 'store-legacy-msghdr' on.
Message = "program: I am logging something."
$MSGHDR = "program: "
$MSG = "program: I am logging something."
$MSGHDR$MSG = "program: program: I am logging something."
>
> --
> Bazsi
>
> _______________________________________________________________________
> _______
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
More information about the syslog-ng
mailing list