[syslog-ng] $DAY Macro not RFC Compliant
Michael Starks
syslog-ng-list at michaelstarks.com
Mon May 10 17:03:08 CEST 2010
I have a situation where I am trying to construct a RFC3164-compliant
message from component parts of a non-compliant message.
The non-compliant message expresses the day as dd, and if the day is
before the tenth of the month, it is 0d. I thought it would be better to
use the syslog-ng $DAY macro, but I learned that it also does the same
thing. The RFC, however, requires two-digit days to be expressed as " d"
(space digit) when the day is before 10.
I then thought that perhaps I could just rewrite the day as expressed by
the original message, which is actually my preference, using a rewrite
rule. As a test, I tried this:
rewrite r_test{
subst("07", " 7", value("${PARSER.DD}"));
};
This attempted to change "07" to " 7" in PARSER.DD, which has been
successfully extracted in a former parser.
And of course I attempt to use it in a log statement (some names have been
changed for demonstration purposes):
log { source(s_source); parser(p_parser); filter(f_filter);
destination(d_destination); rewrite(r_test);};
So my questions are:
1. Why is the $DAY macro not RFC3164-compliant? Is that a design choice?
Was it simply never meant to be?
2. Why doesn't the rewrite rule work? I know PARSER.DD has been
successfully extracted because I can use it in a destination.
Thanks in advance.
-Michael Starks
More information about the syslog-ng
mailing list