[syslog-ng] parsing netapp syslog (2)
bazsi at balabit.hu
Thu May 21 09:12:20 CEST 2009
On Wed, 2009-05-20 at 09:10 +0200, David - DCPC wrote:
> I'm new on syslog-ng.
> I use v3.0.2 on a CentOS 4.4.
> I send syslog logs from a netapp FAS 2020 (*.*) to the syslog-ng
> server via udp.
> I have problem to analyse thoses logs. the lines have a different
> format than the standard syslog from another unix by example and are
> different than the BSD or IETF standard described in the syslog-ng
> documentation :
> Tue May 19 11:27:30 CEST [netapp-L: wafl.quota.qtree.exceeded:notice]:
> tid 10: tree quota exceeded on volume linusers. Additional warnings
> will be suppressed for approximately 60 minutes or until a 'quota
> resize' is performed.
hmm this includes an additional timezone & day information, neither of
which is supported by syslog-ng in this format.
These date formats are supported right now:
/* RFC3339 timestamp, expected format: YYYY-MM-DDTHH:MM:SS[.frac]<+/->ZZ:ZZ */
/* PIX timestamp, expected format: MMM DD YYYY HH:MM:SS: */
/* LinkSys timestamp, expected format: MMM DD HH:MM:SS YYYY */
/* RFC 3164 timestamp, expected format: MMM DD HH:MM:SS ... */
> 1°) When i use it in syslog-ng i get this line in a sample extraction
> without filter :
> May 19 11:27:30 netapp-b wafl.quota.qtree.exceeded:notice]: tid 10:
> tree quota exceeded on volume linusers. Additional warnings will be
> suppressed for approximately 60 minutes or until a 'quota resize' is
hmm.. I don't see how the timestamp was recognized, but I'm adding your
message to the testcases to see how....
I did, as it seems that syslog-ng assumes there's no date in the message
(since it is not recognized), then the first word is recognized as the
name of the program (e.g. $PROGRAM becomes Tue, since that's the first
> (difference between host named should come from the renaming of hosts
> during tests, and dns aliases, don't think this is the problem).
> Is it possible to correct the processus that parse the original line ?
> it seems that the parser block can be used only for the $MESSAGE part
> of the line.
you can use the 'no-parse' flag on your source, which means that the
complete incoming line is put in $MSG and the rest ($DATE and $HOST are
filled based on the reception information, e.g. the reception date and
the host that sent the message)
> 2°) It want to use other macro to make some filter and destination,
> like $PROGRAM. Is it possible to 'debug' the processing and have a
> details of macros and their contents, line by line ?
if you enable --debug option you can get debug output on filter
More information about the syslog-ng