[syslog-ng] Syslog-ng seems to be not parsing correctly if the PROGRAM macro parsing fails.

Yu Watanabe yu.watanabe at jp.fujitsu.com
Mon Jul 27 13:01:23 CEST 2009 

TO : Mr.Panel

Hello Vincent.

Thank you for the reply.

I understand that the non BSD-syslog date format log comes into 
syslog-ng , it does not operate properly.

Could I ask you three questions about this syslog message? It would be a
great help if you could afford time answering with these questions. 

1. I would like to confirm my thought about this. 
  More specifically, I saw the packet using tshark.
  And, in the "Message:" area, the properly handled packet always has the process id in its beginning.

  Like , "128: Jun 09 2009 16:30:19: %SYS-5-CONFIG_I: Configured from console by console"
  And , no matter what kind of date format was included in the message it was properly parsed in syslog-ng.

  I thought the reason why it was not parsed correcly, was whether the process id had existed or not in the packet.
  Am I on the wrong point? I apologize if I was giving a wrong opinion.

2. Just want to confirm if syslog-ng stops processing the destination driver process,
   whenever it goes messy with the PROGRAM macro?

3. So for now , to escape from syslog-ng being inproper, should I not use the PROGRAM macro?

Best Regards,
Yu Watanabe

Vincent Panel さんは書きました:
>On Mon, 2009-07-27 at 14:14 +0900, Yu Watanabe wrote:
>> Hello all.
>> 
>> I am using syslog-ng v 2.0.5. 
>> 
>> However, I am gathering logs from the cisco catalyst switches,
>> but when I tried to use the PROGRAM macro it seems not be working properly.
>> 
>> In Cisco switches , there seems to be messages that program is not included
>> in the message that is sent from the device.
>> 
>> I would like to know how does syslog-ng parses the messages that does not have
>> the PROGRAM name included and what would happen if we use the PROGRAM macro
>> for these message.
>> 
>> Following is the proper message:
>> 
>>   Jul 27 13:17:11 l2swtich 128: %SYS-5-CONFIG_I: Configured from console by console
>>                            ****
>>                            There are logs that does not have this part.
>> 
>> 
>See https://bugzilla.balabit.com/show_bug.cgi?id=40
>
>______________________________________________________________________________
>Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>FAQ: http://www.campin.net/syslog-ng/faq.html
>
>

More information about the syslog-ng mailing list