[syslog-ng] syslog 3.9 modifying ${MSG}?

Sandor Geller sandor.geller at ericsson.com
Wed Apr 26 07:45:00 UTC 2017 

Hi,

The app producing these logs violates all syslog standards (there are so 
many apps written by people ignoring standards...). In my opinion 
syslog-ng is correct in assuming that the first doublecolon ends the 
syslog header and the string containing the doublecolon is the program 
name. I  don't know how could the older version mis-parse the message to 
pick up a not even existing string from the message as the program name.

Handling of $MSG AKA $MESSAGE changed with syslog-ng 3.0 and with recent 
configs (versioned ones having at least 3.0 in the version number) it no 
longer contains the syslog header. Were you using an old (unversioned) 
configfile and relied on 2.x behaviour maybe? syslog-ng outputs warnings 
about such behaviour changes when it starts.

The documentation also contains this information so it is a good read.

Regards,

Sandor

On 04/25/2017 09:23 PM, Nik Ambrosch wrote:
> After moving from syslog-ng 3.5 to 3.9 i noticed that the contents of $PROGRAM and $MSG are being logged differently than before.  Here is how they used to be logged:
>
> # program: 53
> # message: Apr 19 09:35:35.713 GMT: %ILPOWER-5-POWER_GRANTED: Interface xxx: Power granted                                 |
>
> That is the full message (as seen on the device) which is optimal behavior.  Below is the behavior i’m seeing with syslog-ng 3.9 with similar configuration:
>
> # program: GMT
> # message: %ILPOWER-5-POWER_GRANTED: Interface xxx: Power granted
>
> The value of program and message are altered but everything else is the same.  I’ve been investigating the date parser and the flags(no-parse) options but haven’t had any luck getting a properly formatted message yet.
>
> If anyone has any ideas on how to get the old behavior back it would be greatly appreciated.
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>

More information about the syslog-ng mailing list