[syslog-ng] First word of log message dropped

Rudolph, Timothy L TRudolph at commnet.edu
Fri Sep 11 14:51:30 CEST 2009


Thank you both.  I see that the messages are not in correct syslog
format but am limited to what I can do at the source of the message.

The workaround, with bad_hostname(), does exactly what I needed.

Thanks again,

Tim

-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Balazs
Scheidler
Sent: Friday, September 11, 2009 7:13 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] First word of log message dropped

On Thu, 2009-09-10 at 18:33 +0000, Fegan, Joe wrote:
> In syslog protocol the first word after the timestamp is either (a)
the name of the host that sent the message or (b) the name of the
application that sent the message, followed by a colon. If there is no
colon it is interpreted as format (a).
> 

and there's a workaround for this issue: use the bad_hostnames() regexp
to specify which words should not be accounted as a hostname.

e.g. you need

bad_hostnames("^duplicate$")

which will cause syslog-ng to recognize that duplicate is not a
hostname, rather a program name and everything after it the message
payload:

HOST=<sender IP address or resolved DNS name>
PROGRAM=duplicate
MSG=IP address 1.1.1.1 sent from link address 00:00:00:00:00:00

If you don't use store-legacy-msghdr this is what you'll get:

<datetime> <sender host> duplicate: IP address

and with store-legacy-msghdr the colon will be omitted.

> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Rudolph,
Timothy L
> Sent: 10 September 2009 16:27
> To: syslog-ng at lists.balabit.hu
> Subject: [syslog-ng] First word of log message dropped
> 
> I've recently started using syslog-ng 3.0.4 on a Solaris system to
> collect logs from a number of devices and servers.  I've noticed a few
> instances where the first word of a log message is dropped from the
> entry written to file when comparing to the standard syslogd.
> 
> One example is a message (local1.err) that comes over the network as:
> 
> Sep 10 09:29:32 duplicate IP address 1.1.1.1 sent from link address
> 00:00:00:00:00:00
> 
> Without the store-legacy-msghdr flag, the resulting message in my log
> file generated by syslog-ng is:
> 
> Sep 10 09:29:32 so7761 IP: address 1.1.1.1 sent from link address
> 00:00:00:00:00:00
> 
> If I put the store-legacy-msghdr flag in, I only get a very minor
> change, no colon:
> 
> Sep 10 09:29:32 so7761 IP address 1.1.1.1 sent from link address
> 00:00:00:00:00:00
> 
> Is there any way I can get these entries to log correctly?
> 
> Thanks,
> 
> Tim
>
________________________________________________________________________
______
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
>
________________________________________________________________________
______
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> 
-- 
Bazsi

________________________________________________________________________
______
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html



More information about the syslog-ng mailing list