[syslog-ng] Strange behaviour of syslog-ng. Date macros not working and missing character in file name.

Balazs Scheidler bazsi at balabit.hu
Wed Sep 30 21:58:47 CEST 2009 

Hi,

The problem is that syslog-ng thinks that the first four digits of the
program name is "year" information, as some devices include that in
their timestamp.

This is fixed in syslog-ng OSE 3.0, I haven't checked 2.1. I'd recommend
to upgrade to 3.0, we do have Debian packages available.

On Wed, 2009-09-30 at 14:16 +0200, Nilshar wrote:
> Any idea ? :/
> 
> 2009/9/28 Nilshar <nilshar at gmail.com>:
> > Hello,
> >
> > I got a strange problem with syslog-ng (Debian Lenny version (2.0.9)).
> >
> > I got the following configuration :
> >
> > destination df_va_access {
> >        file("/var/log/apache/${PROGRAM}-access-${YEAR}${MONTH}${WEEK}${DAY}00.log"
> >        perm(0660)
> >        dir_perm(0775)
> >        template("${MSGONLY}\n")
> >        template_escape(off)) ;
> > };
> >
> > filter f_va_access {
> >        facility(local1) and
> >        level(info);
> > };
> >
> > log {
> >        source(s_all);
> >        filter(f_va_access);
> >        destination(df_va_access);
> >        flags(final);
> > };
> >
> >
> > My apache is sending logs to logger with these parameters :
> >
> > /usr/bin/logger -p local1.info -t
> > 180630f354399af972469030e7583848/4f88a0b758d5c5dc46e7f15b4bac1f5c/www.example.com-80-180630f354399af972469030e7583848-4f88a0b758d5c5dc46e7f15b4bac1f5c
> >
> >
> > But I end up with this file :
> >
> > /var/log/apache/30f354399af972469030e7583848/4f88a0b758d5c5dc46e7f15b4bac1f5c/www.example.com-80-180630f354399af972469030e7583848-4f88a0b758d5c5dc46e7f15b4bac1f5c-access-197001000100.log
> >
> > This file has 2 problems :
> > 1) the first directory is missing 3 char :
> > 30f354399af972469030e7583848 should be
> > 180630f354399af972469030e7583848
> > 2) the date is wrong : 197001000100. should be the current date
> > (system date is good).
> >
> > This looks like an overflow or something... I tried setting up another
> > conf with simplier file, the date is working fine.
> >
> > The *very* strange thing, is that I got the same setup (with
> > différents UID) on many differents box, and it's working just fine. So
> > I guess there is something wrong with these particulier UID
> >
> > Is this a known issue ? maybe already fixed in recent version ?
> > Why it is working on most of my box but not this one ?
> >
> > Thanks for your help.
> >
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> 
-- 
Bazsi

More information about the syslog-ng mailing list