[syslog-ng] Syslog-ng/Rsyslog "message" differences (?)
Gergely Nagy
algernon at balabit.hu
Thu Jan 13 19:04:29 CET 2011
On Thu, 2011-01-13 at 12:54 -0500, Champ Clark III [Softwink] wrote:
> Hello all!
>
> I've got a bit of a strange problem. I've been developing software
> (Shameless plug: http://sagan.softwink.com) that does log analysis. This
> software is mostly used with Syslog-ng and Rsyslog. We recently started
> testing some log normalization, and I'm seeing different results from
> syslog-ng's $MSG string and rsyslog %msg%. For example:
>
> template("$MSG\n") template-escape(no)); };
>
> ---------------
> Syslog-ng:
> template("$MSG\n") template-escape(no)); };
>
> Output:
> sshd[20657]: Invalid user champtest from 66.177.167.194
>
> ---------------
> Rsyslog:
>
> $template sagan, "%msg%\n"
>
> Output:
> Invalid user champtest from 66.177.167.194
> ---------------
You seem to want only the message part of the log entry. With syslog-ng,
$MSG contains the program too, and if you want the message part only,
you should try $MSGONLY in the template. That should do just what you
want.
By the way, there's excellent documentation about syslog-ng macros,
which explains the difference between $MSG and $MSGONLY at
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/reference_macros.html
--
|8]
More information about the syslog-ng
mailing list