[syslog-ng] $DAY Macro not RFC Compliant
Michael Starks
syslog-ng-list at michaelstarks.com
Mon May 10 21:46:20 CEST 2010
On Mon, 10 May 2010 17:56:48 +0200, Balazs Scheidler <bazsi at balabit.hu>
wrote:
>> So my questions are:
>>
>> 1. Why is the $DAY macro not RFC3164-compliant? Is that a design
choice?
>> Was it simply never meant to be?
>
> well, I'd say I haven't thought about this implication. The primary use
> for macros was in filenames (e.g. /var/log/messages.$YEAR.$MONTH.$DAY)
> in which case space would be a problem. I never wanted to handcraft
> BSD-like dates before using macros, nor have received such a report.
That makes sense. I do understand how most people would want to use this
in a filename, and how a space would be a problem. My use case doesn't seem
to be the norm.
> Why is that necessary? You want to rewrite the date portion of a syslog
> message?
Yes. My intent is to make the original non RFC-compliant message,
compliant. It has all of the component parts. I could use the syslog-ng
functionality to date-stamp it, but I would prefer to keep the original
date/time.
> Anything in syslog-ng (filter, parser, rewrite, destination, but also
> sources) are "pipes" that get connected during configuration
> initialization.
That's good to know. I did get things working by playing around with the
order of things in the config. I also changed "${PARSER.DD}" to "PARSER.DD"
as I think I had that wrong.
Also, just a quick note to say thanks for the excellent software and the
quick response to my queries.
More information about the syslog-ng
mailing list