[syslog-ng] parsing netapp syslog (2)
David - DCPC
dcpc.dev at gmail.com
Wed May 20 09:10:52 CEST 2009
Hello,
I'm new on syslog-ng.
I use v3.0.2 on a CentOS 4.4.
I send syslog logs from a netapp FAS 2020 (*.*) to the syslog-ng server via
udp.
I have problem to analyse thoses logs. the lines have a different format
than the standard syslog from another unix by example and are different than
the BSD or IETF standard described in the syslog-ng documentation :
(...)
Tue May 19 11:27:30 CEST [netapp-L: wafl.quota.qtree.exceeded:notice]: tid
10: tree quota exceeded on volume linusers. Additional warnings will be
suppressed for approximately 60 minutes or until a 'quota resize' is
performed.
(...)
1°) When i use it in syslog-ng i get this line in a sample extraction
without filter :
(...)
May 19 11:27:30 netapp-b wafl.quota.qtree.exceeded:notice]: tid 10: tree
quota exceeded on volume linusers. Additional warnings will be suppressed
for approximately 60 minutes or until a 'quota resize' is performed.
(...)
(difference between host named should come from the renaming of hosts during
tests, and dns aliases, don't think this is the problem).
Is it possible to correct the processus that parse the original line ? it
seems that the parser block can be used only for the $MESSAGE part of the
line.
2°) It want to use other macro to make some filter and destination, like
$PROGRAM. Is it possible to 'debug' the processing and have a details of
macros and their contents, line by line ?
Thx
(sorry for the first miss)
--
Salutations,
David CHALON
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090520/37e61896/attachment.htm
More information about the syslog-ng
mailing list