[syslog-ng] Syslog-ng/Rsyslog "message" differences (?)
Champ Clark III [Softwink]
champ at softwink.com
Thu Jan 13 18:54:10 CET 2011
Hello all!
I've got a bit of a strange problem. I've been developing software
(Shameless plug: http://sagan.softwink.com) that does log analysis. This
software is mostly used with Syslog-ng and Rsyslog. We recently started
testing some log normalization, and I'm seeing different results from
syslog-ng's $MSG string and rsyslog %msg%. For example:
template("$MSG\n") template-escape(no)); };
---------------
Syslog-ng:
template("$MSG\n") template-escape(no)); };
Output:
sshd[20657]: Invalid user champtest from 66.177.167.194
---------------
Rsyslog:
$template sagan, "%msg%\n"
Output:
Invalid user champtest from 66.177.167.194
---------------
Whitespacing aside, with syslog-ng I get the program information
within the message field. I should point out that most of the systems
in the network are Syslog-ng and reporting to Rsyslog (which I can
switch out with Syslog-ng for testing).
I guess my questions are:
1. Does this sound like a Syslog-ng/Rsyslog interoperability issue?
2. Or do the two just see the "message" formats differently?
3. Maybe it's just my setup (syslog-ng/rsyslog versions)?
I have a "work around" with Rsyslog, but was wondering if there
where any thoughts on this issue? Thanks
--
Champ Clark III | Softwink, Inc | 800-538-9357 x 101
http://www.softwink.com
GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110113/8818c301/attachment.pgp
More information about the syslog-ng
mailing list