[syslog-ng] MSGHDR and rewriting PROGRAM macro
Balazs Scheidler
bazsi at balabit.hu
Mon Oct 31 10:50:46 CET 2011
On Sun, 2011-10-30 at 16:41 -0600, Patrick H. wrote:
> I've got a box running syslog-ng 3.2.4, and I have a rewrite changing
> the PROGRAM macro. The problem is this doesnt affect the contents of
> the MSGHDR macro. Additionally if you try to do a rewrite on MSGHDR,
> it complains that MSGHDR is read-only.
>
> I'm inclined to say this is a bug, but wanted to get official opinion
> on the issue.
This was fixed in this patch back in August:
commit 320e4d065df521a61ff000e848f1e6a7a787c616
Author: Balazs Scheidler <bazsi at balabit.hu>
Date: Mon Aug 22 09:28:48 2011 +0200
program-override(): disable the effect of store-legacy-msghdr flag
During 3.1, the flag "store-legacy-msghdr" has become default, which means
that the $PROGRAM[$PID] portion of the original syslog message was restored
to the same format it was received as, instead of being reconstructed
from the parsed values.
However, when specifying program-override(), this behaviour was
not restored, e.g. even if the value of the $PROGRAM name-value pair
has changed, the originally stored format was used in files.
This was certainly not very intuitive. This patch changes that, if
$PROGRAM is set in any way (e.g. program-override(), rewrite rule, parser)
the effect of store-legacy-msghdr is disabled. That can be restored
by using an explict $LEGACY_MSGHDR macro in the destination template.
Cc: syslog-ng-stable at balabit.hu
Signed-off-by: Balazs Scheidler <bazsi at balabit.hu>
This patch is to be released in 3.2.5
--
Bazsi
More information about the syslog-ng
mailing list