On Wed, Jan 09, 2002 at 09:57:09AM -0500, Marcus J. Ranum wrote: > I'm working on a sort of syslog parser thingie that will be released in > a couple months. It's rule-driven and can pretty much consume anything > you throw at it (so far, anyhow...) - and of course I'm bumping up against > the numerous incompatibilities of various syslog message formats. > Does anyone have any notes on the various syslog header layouts > that are out there in the wild? I'm mostly interested in the various > > dd/mm/yy host: program[pid] > dd/mm host: program: > > type stuff. Less interested in the message contents - that's another > problem for another day. :) Just last week I wrote a perl daemon that collects syslog messages, rewrites them, and forwards over TCP/stunnel to a central log server. The rewriting is mostly in accordance with rfc 3164 - though I take the liberty of adding the facility/severity info just after the tag field. It kills me that this info is lost forever on most systems once it's written to disk. I like how Solaris 8 keeps that info, I modeled it after it's behavior. Anyways, I'll share what I found from my hosts: Linux syslogd and sysklogd send the message in a format like this: <30>named[18526]: bad referral (27.61.24.in-addr.arpa !< 90.27.61.24.in-addr.arpa) from [24.128.1.80].53 There is no HEADER info at all, just <PRI>TAG: CONTENT I also get these from Linux hosts: <6>-- MARK -- Digital UNIX and Solaris 6-8 syslogd send a raw message like this: <28>Jan 10 03:02:25 named[29356]: [ID 295310 daemon.warning] owner name "gc._msdcs.wiredigital.com" IN (secondary) is invalid - proceeding anyway So the pattern is like this: <PRI>MONTH DAY HH:MM:SS TAG: CONTENT No hostname in the HEADER, but otherwise totally intact (the above is Solaris 8 with the fac/sev info included, and the msg id). Syslog-ng on Linux and Solaris sends a completely valid message over the network to another host, no rewriting is necessary (unless you need to make it fully qualified, that is). These are the only boxes I have sending logs into my proxies, so can't comment on other patterns. Hope this helps. > Off-topic: whatEVER were they thinking when they didn't include the > _year_ in syslog messages? Eesh... I archive logs in a filesystem by year, but my database archive has no such organization. I'm thinking about adding the year in the "CONTENTS" part, maybe at the end of the message as they pass through my proxy. -- Nate Campi | Terra Lycos DNS | WiReD UNIX Operations "Victory goes to the player who makes the next-to-last mistake." - Chessmaster Savielly Grigorievitch Tartakower (1887-1956) --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 20:55:25 PST