[prev in list] [next in list] [prev in thread] [next in thread] 

List:       syslog-ng
Subject:    Re: [syslog-ng] Forwarded messages modified by syslog-ng
From:       Balazs Scheidler <bazsi () balabit ! hu>
Date:       2009-07-08 8:02:15
Message-ID: 1247040135.2328.24.camel () bzorp ! balabit
[Download RAW message or body]

On Tue, 2009-07-07 at 11:40 -0400, srainville@videotron.ca wrote:
> I'm using syslog-ng 3.0.3 to collect and forward some messages to
> another syslog-ng 3.0.3 server. The messages are in the following
> format and are received via UDP:
>  
> Jul  7 11:26:53 SERVERNAME [aaa][info] xmlfirewall(Testservices):
> trans(534491553)[request]: Policy(Testpolicy): Message allowed
> 
> I use the following destination configuration:
>      destination testserver         { udp("testserver" port(514)); };
>  
>  
> The messages arrive in this format:
> Jul  7 11:26:53 SERVERNAME [info] xmlfirewall(Testservices):
> trans(534491553)[request]: Policy(Testpolicy): Message allowed
> 
>  
> It removed the [aaa] from the original message. I tried adding a
> template to the destination that used $MSG, but it didn't change the
> output. Is there a way to tell syslog-ng to not modify the original
> message? I don't recall having this issue with version 2.0.x.
>  

syslog-ng 3.0 parses and rebuilds the program header information by
default (in order to properly support the new IETF syslog protocols).
The format it understands is

date host program[pid]:

it has some heuristics, but your [aaa][info] does not match the
program[pid] format that syslog-ng expects.

You could use the "store-legacy-msghdr" flag in which case you can get
the original contents of the message at the price of some performance,
and I also planned to tune the parsing heuristics a bit further, but
that's always risky business: changing the heuristics to an ambigous
message format that has a lot of violating implementations, is well,
risky at the very least.

For now, please try the store-legacy-msghdr flag and see if that solves
your problem.

-- 
Bazsi

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic