[syslog-ng] Syslog-ng seems to be not parsing correctly if the PROGRAM macro parsing fails.

Mon Jul 27 13:57:20 CEST 2009

On Mon, 2009-07-27 at 20:01 +0900, Yu Watanabe wrote:
> Vincent Panel さんは書きました:
> >On Mon, 2009-07-27 at 14:14 +0900, Yu Watanabe wrote:
> >> Hello all.
> >> 
> >> I am using syslog-ng v 2.0.5. 
> >> 
> >> However, I am gathering logs from the cisco catalyst switches,
> >> but when I tried to use the PROGRAM macro it seems not be working properly.
> >> 
> >> In Cisco switches , there seems to be messages that program is not included
> >> in the message that is sent from the device.
> >> 
> >> I would like to know how does syslog-ng parses the messages that does not have
> >> the PROGRAM name included and what would happen if we use the PROGRAM macro
> >> for these message.
> >> 
> >> Following is the proper message:
> >> 
> >>   Jul 27 13:17:11 l2swtich 128: %SYS-5-CONFIG_I: Configured from console by console
> >>                            ****
> >>                            There are logs that does not have this part.
> >> 
> >> 
> >See https://bugzilla.balabit.com/show_bug.cgi?id=40
> >
> I understand that the non BSD-syslog date format log comes into 
> syslog-ng , it does not operate properly.

Well, your problem is not exactly the same as mine, but it was just to stress out that Cisco devices
ususally do not send syslog messages in an appropriate RFC-compliant format.

> Could I ask you three questions about this syslog message? It would be a
> great help if you could afford time answering with these questions. 
> 
> 1. I would like to confirm my thought about this. 
>   More specifically, I saw the packet using tshark.
>   And, in the "Message:" area, the properly handled packet always has the process id in its beginning.
> 
>   Like , "128: Jun 09 2009 16:30:19: %SYS-5-CONFIG_I: Configured from console by console"
>   And , no matter what kind of date format was included in the message it was properly parsed in syslog-ng.
> 

In your first mail, the format was : MM DD HH:mm:ss HOSTNAME PROGRAM: %MSGID: CONTENT
Now, it is : PROGRAM: MM DD YYYY HH:mm:ss: %MSGID: CONTENT
I have also seen : MM DD YYYY HH:mm:ss %MSGID: CONTENT
And : MM DD YYYY HH:mm:ss HOSTNAME %MSGID: CONTENT

So, it's difficult for syslog-ng to parse headers correctly because no one follows the same convention... I wish syslog-ng
allowed the user to specify the format of the header that could be received.

>   I thought the reason why it was not parsed correcly, was whether the process id had existed or not in the packet.
>   Am I on the wrong point? I apologize if I was giving a wrong opinion.
> 
> 2. Just want to confirm if syslog-ng stops processing the destination driver process,
>    whenever it goes messy with the PROGRAM macro?
> 
> 3. So for now , to escape from syslog-ng being inproper, should I not use the PROGRAM macro?
> 

I can't tell you, sorry... I'm not developing syslog-ng and have never
used the PROGRAM macro.