[syslog-ng] Problem with program_override in upgrade from 3.0.8 to 3.2.4

Balazs Scheidler bazsi at balabit.hu
Mon Aug 22 09:31:27 CEST 2011 

On Wed, 2011-08-17 at 11:09 +0200, Balazs Scheidler wrote:
> On Mon, 2011-08-08 at 17:04 +0200, Javi Polo wrote:
> > El 08/06/2011 06:56 PM, Balazs Scheidler escribió:
> > >> As you can see, the program_name has dissapeared
> > >> I suspect is a bug, but I'm not sure as there might be some change in
> > >> syslog-ng behaviour that I did miss :?
> > > flags(dont-store-legacy-msghdr)
> > >
> > > I wanted to explain why, but I'm in a hurry, probably in an upcoming
> > > post. (the flag might be called no-store-..., can't remember exactly)
> > 
> > Thanks!
> > I found an explanation there 
> > http://bazsi.blogs.balabit.com/2010/05/small-incompatible-change-for-3-1/
> > 
> > However, it still doesnt work
> > As the flag 'dont-store-legacy-msghdr' is set on the 'source' statement 
> > in the logserver host, it seems it doesnt affect the syslog-ng 
> > generating the log, which stripes the program from the log-line
> > 
> > I tried to put 'dont-store-legacy-msghdr' flag in the originating host, 
> > under 'destination' statement, but syslog-ng complains that the flag is 
> > invalid there ...
> > 
> > I have switched back to syslog-ng 3.0 till I can resolve this issue
> > 
> 
> you need the flag on the host that has program-override(),
> program-override() will not work if store-legacy-msghdr is enabled,
> unless the destination template is customized too.
> 
> If the client syslog-ng has program-override(), then you need the flag
> on that host, on its source statement.
> 

I've pushed this to 3.3, which should be backported to 3.3 one day:

commit c76483fcd6c033fdf9b46d1c18753d466362ea88
Author: Balazs Scheidler <bazsi at balabit.hu>
Date:   Mon Aug 22 09:28:48 2011 +0200

    program-override(): disable the effect of store-legacy-msghdr flag
    
    During 3.1, the flag "store-legacy-msghdr" has become default, which means
    that the $PROGRAM[$PID] portion of the original syslog message was restored
    to the same format it was received as, instead of being reconstructed
    from the parsed values.
    
    However, when specifying program-override(), this behaviour was
    not restored, e.g. even if the value of the $PROGRAM name-value pair
    has changed, the originally stored format was used in files.
    
    This was certainly not very intuitive. This patch changes that, if
    $PROGRAM is set in any way (e.g. program-override(), rewrite rule, parser)
    the effect of store-legacy-msghdr is disabled. That can be restored
    by using an explict $LEGACY_MSGHDR macro in the destination template.
    
    Cc: syslog-ng-stable at balabit.hu
    Signed-off-by: Balazs Scheidler <bazsi at balabit.hu>


-- 
Bazsi

More information about the syslog-ng mailing list