[syslog-ng] Forwarded messages modified by syslog-ng
Balazs Scheidler
bazsi at balabit.hu
Wed Jul 8 10:02:15 CEST 2009
On Tue, 2009-07-07 at 11:40 -0400, srainville at videotron.ca wrote:
> I'm using syslog-ng 3.0.3 to collect and forward some messages to
> another syslog-ng 3.0.3 server. The messages are in the following
> format and are received via UDP:
>
> Jul 7 11:26:53 SERVERNAME [aaa][info] xmlfirewall(Testservices):
> trans(534491553)[request]: Policy(Testpolicy): Message allowed
>
> I use the following destination configuration:
> destination testserver { udp("testserver" port(514)); };
>
>
> The messages arrive in this format:
> Jul 7 11:26:53 SERVERNAME [info] xmlfirewall(Testservices):
> trans(534491553)[request]: Policy(Testpolicy): Message allowed
>
>
> It removed the [aaa] from the original message. I tried adding a
> template to the destination that used $MSG, but it didn't change the
> output. Is there a way to tell syslog-ng to not modify the original
> message? I don't recall having this issue with version 2.0.x.
>
syslog-ng 3.0 parses and rebuilds the program header information by
default (in order to properly support the new IETF syslog protocols).
The format it understands is
date host program[pid]:
it has some heuristics, but your [aaa][info] does not match the
program[pid] format that syslog-ng expects.
You could use the "store-legacy-msghdr" flag in which case you can get
the original contents of the message at the price of some performance,
and I also planned to tune the parsing heuristics a bit further, but
that's always risky business: changing the heuristics to an ambigous
message format that has a lot of violating implementations, is well,
risky at the very least.
For now, please try the store-legacy-msghdr flag and see if that solves
your problem.
--
Bazsi
More information about the syslog-ng
mailing list