[syslog-ng] Macro question

Michael J. Bauer mjbauer at eecs.tufts.edu
Fri Oct 30 18:52:11 CET 2009


I changed my source from

udp(ip(0.0.0.0) port(514))

to

udp(ip(0.0.0.0) port(514) flags(no-parse))

with no other changes.  The log entries now are slightly different: 
there's a <###> term, so they appear as

Oct 30 13:42:55 juniper-router <150>{wan-service-set}[FWNAT]: 
ASP_NAT_RULE_MATCH: proto 6 (TCP) application: any, 
ge-0/0/3.2:10.3.4.12:1064 -> 74.125.165.164:80, Match NAT rule-set: , 
rule: nat-outgoing, term: dynamic-nat

and the match(FWNAT) no longer works at all.

MJB

HÖLTZL Péter wrote:
> Dear Mick,
>
>   
>> I have a log message that appears in my logfiles as
>>
>> Oct 28 16:41:22 juniper-router {wan-service-set}[FWNAT]: 
>> ASP_NAT_RULE_MATCH: proto 6 (TCP) application: any, 
>> ge-0/0/3.2:10.3.13.153:49818 -> 66.249.80.148:80, Match NAT rule-set: , 
>> rule: nat-outgoing, term: dynamic-nat
>>     
>
> It seems junper do not send valid RFC3164 message (wrong program/pid
> field). In addition syslog-ng do not handle it coccetly (which could be
> a bug) that is why the message do not appears in the any macros (my
> default the message should be in MSG or MSGONLY. Pleas try to use the
> no-parse flag at the source driver which reads incoming syslog messages.
> I hope it helps. For further see info see this:
>
> http://www.balabit.hu/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s01.html
>
> search for the word no-parse and pleas sen us the result!
>
> Best wishes,
>
> Peter
>
>
>   
> ------------------------------------------------------------------------
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>   


More information about the syslog-ng mailing list