[syslog-ng] Message Macros

Peter Kokai (pkokai) Peter.Kokai at oneidentity.com
Wed Aug 26 16:14:53 UTC 2020 

Hello,

The ${MESSAGE} macro is not supposed to hold dates. If that macro holds a date that is like a parsing issue, or you simply useing flags(no-parse) flags in that source.

Would you mind sharing a configuration and input that produces double date in your case ?
Also if you have the possibility to turn on debug logs (probably not production) -Fedvt option can be helpful as it is going to print exactly what value the MESSAGE macro is assigned.

Example of such log:
```
[2020-08-26T18:13:38.652356] Setting value; name='MESSAGE', value='-- Generated message. --', msg='0x616000008780'
```

--
Kokan

On Wed, Aug 26, 2020 at 02:52:46PM +0000, Faine, Mark R. (MSFC-IS40)[NICS] wrote:
> CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
> 
> Is it possible to break up the $MESSAGE macro into smaller macros that constitute the entire message?  The reason I ask is that we tried this format in our destination:
> 
> template("${S_ISODATE} ${MESSAGE}\n")
> 
> However, we get two dates now, since I'm assuming one is part of the $MESSAGE macro, and we also lost the $HOST in our messages.
> 
> We just want the output to be exactly like it would be without specifying a template but with an ISO date, followed by the hostname/ip, and the rest of the message excluding the date.
> 
> Thanks,
> -Mark
> 
> 

> ______________________________________________________________________________
> Member info: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CPeter.Kokai%40oneidentity.com%7C057ed565507a414368ad08d849cfb674%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637340503766665934&sdata=p0LXuFKDUFLJATIfEfRaxKwS6KBbQ6sOf41WQ1tg7Io%3D&reserved=0
> Documentation: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CPeter.Kokai%40oneidentity.com%7C057ed565507a414368ad08d849cfb674%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637340503766665934&sdata=kA5Q6fMI%2B2LjsMLTfChGQSScPna1ihSFdaqTZu6%2BB90%3D&reserved=0
> FAQ: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CPeter.Kokai%40oneidentity.com%7C057ed565507a414368ad08d849cfb674%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637340503766665934&sdata=NEFQSFZX7v%2B%2B70RgaDNoy5XH1xLJQCunuUAQsDgNX8M%3D&reserved=0
>

More information about the syslog-ng mailing list