[syslog-ng] Snare and MSGONLY macro

[Stewart James]

Hi all,

 

I have had an ongoing problem with snarecore and syslog-ng, this is also
happening with loglogics lasso agent too.

 

For some services it makes sense that the system just store the messages
without the syslog header. For example IIS logs, apache logs and other
misc application logs. Wanting to save having to perform any post
processing I figured I would setup a specific listener for those
applications, allowing syslog to log to
/someplace/with/lots/of/storage/YYYY/MM/DD/raw.program.servername.

 

Using both the windows agents mentioned above, the macros $PROGRAM and
$MSGONLY break. $PROGRAM is expanded into some ungodly form
(MSWinEventLog\0110\011System\011325\011Mon....) and the MSGONLY macro
is garbled.

 

My logic tells me this is due to sysl;og-ng not detecting the syslog
header being sent by snare or lasso properly... or it is snare and lasso
sending the incorrect header format.

 

I can survive without the $PROGRAM macro working correctly. The MSGONLY
macro is a bit more of a pain though, I would rather use the native
capabilities of syslog-ng.

 

I have just updated to 2.0.9 (from Debian Lenny) to confirm this is
still a problem for me, I see 3.0.x is out but not sure if this is
something that would be corrected if I went down that path.

 

Thanks,

 

Stewart

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090216/8032ef9c/attachment.htm