[syslog-ng] syslog-ng 3.1.1 "cuts" of the first charater of the Apache error log when forwarding

Sandor Geller Sandor.Geller at morganstanley.com
Fri Apr 23 15:00:00 CEST 2010


> I have a weird problem with syslog-ng. I am setting up a syslog-ng client on an Apache server which forward both access and error log to a central syslog-ng server.

First of all please note that you're trying to deal with
non-standard-compliant messages. syslog-ng tries to parse the incoming
log lines trying various known syslog formats.

> The access log on the source has entries like this:
> - - [23/Apr/2010:13:55:25 +0200] "GET /images/userLo...
> and this becomes like this on the syslog server:
> servername - - [23/Apr/2010:13:55:25 +0200] "GET /images/use

The first syslog-ng (which receives the apache log) parses the line.
There is no syslog header found so it falls back to the legacy format.
There is neither priority code nor timestamp so the IP address becomes
the program name. That's why you see it logger on the second server.

> All ok with this one, but with the error log I get this on the webserver:
> [Fri Apr 23 13:55:25 2010] [error] [client] File doe...
> but this on the syslog server:
> servername Apr 23 13:55:25 2010] [error] [client] File do...
> Where is the [ character at the beginning of the timestamp gone?????

As above, this line isn't a syslog message at all. From syslog's
perspective it's more or less random junk. The trailing '[' causes
that there is no program name at all and the parser thinks the
following string up to the closing ']' is the pid like in normal logs
eg. programname[pid]

I don't see how could this "pid" appear on the receiving side with
only the closing brace. Please show your configs and the captured
network packet too.

In general when an app doesn't speak syslog formats and there is no
option to format its logs properly then using the no-parse option (on
all syslog-ng servers the log passes through) or writing a small app
which reformats the logs and feeds to syslog-ng is the way to go.



More information about the syslog-ng mailing list