[syslog-ng] syslog-ng 3.1.1 "cuts" of the first charater of the Apache error log when forwarding
filip.nollet at bayercropscience.com
filip.nollet at bayercropscience.com
Mon Apr 26 15:26:28 CEST 2010
Hi again
First of all, I already used syslog-ng before, but I had no idea it was
doing parsing, so this is normal :p
I changed my configuration to use the no_parse function in the source
driver of the webserver on which the syslog-ng client
forwards the messages to the syslog server. This does the trick.
I don't even have to change the configuration on the target syslog server
which greatly reduces configuration file changes.
Thx for the answer!
Filip
> Hi,
>
> > I have a weird problem with syslog-ng. I am setting up a syslog-ng
> client on an Apache server which forward both access and error log
> to a central syslog-ng server.
>
> First of all please note that you're trying to deal with
> non-standard-compliant messages. syslog-ng tries to parse the incoming
> log lines trying various known syslog formats.
>
> > The access log on the source has entries like this:
> > 10.3.154.20 - - [23/Apr/2010:13:55:25 +0200] "GET /images/userLo...
> > and this becomes like this on the syslog server:
> > servername 10.3.154.20: - - [23/Apr/2010:13:55:25 +0200] "GET
/images/use
>
> The first syslog-ng (which receives the apache log) parses the line.
> There is no syslog header found so it falls back to the legacy format.
> There is neither priority code nor timestamp so the IP address becomes
> the program name. That's why you see it logger on the second server.
>
> > All ok with this one, but with the error log I get this on the
webserver:
> > [Fri Apr 23 13:55:25 2010] [error] [client 10.3.154.20] File doe...
> > but this on the syslog server:
> > servername Apr 23 13:55:25 2010] [error] [client 10.3.154.20] File
do...
> >
> > Where is the [ character at the beginning of the timestamp gone?????
>
> As above, this line isn't a syslog message at all. From syslog's
> perspective it's more or less random junk. The trailing '[' causes
> that there is no program name at all and the parser thinks the
> following string up to the closing ']' is the pid like in normal logs
> eg. programname[pid]
>
> I don't see how could this "pid" appear on the receiving side with
> only the closing brace. Please show your configs and the captured
> network packet too.
>
> In general when an app doesn't speak syslog formats and there is no
> option to format its logs properly then using the no-parse option (on
> all syslog-ng servers the log passes through) or writing a small app
> which reformats the logs and feeds to syslog-ng is the way to go.
>
> Regards,
>
> Sandor
>
________________________________________________________________________
The information contained in this e-mail is for the exclusive use of the
intended recipient(s) and may be confidential, proprietary, and/or
legally privileged. Inadvertent disclosure of this message does not
constitute a waiver of any privilege. If you receive this message in
error, please do not directly or indirectly use, print, copy, forward,
or disclose any part of this message. Please also delete this e-mail
and all copies and notify the sender. Thank you.
For alternate languages please go to http://bayerdisclaimer.bayerweb.com
________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100426/f058a2cb/attachment.htm
More information about the syslog-ng
mailing list