> What about sites like ours that use a different syslog output format?
Yes, this is exactly at the core of the issues. As of my current
understanding, we have three factors describing the log format: the
software emiting the logs, the version of this software AND the
configuration of it. This results in a very large set of potential log
formats.
> We're running regionalized syslog servers in several
> different countries,
> so use syslog-ng with a different template to produce syslog output.
> i.e. ours looks like (one long line):
>
> 2004-03-13T19:20:07+0000 server.name mail info qmail-scanner[663]:
> Clear:RC:0(1.2.3.4):SA:1(9.8/5.0): 1.389811 3268 BOSHOUNVLP@private
> sdsdsddds@private high_quality_rolex_watches_discount_prices
> <YQIPGIVOFXZHDYSGTYCTSGJCB@private>
> 1079205606.675-0.server.name:2235
> orig-server.name1079205606470663:3268
> That's 'template("$R_ISODATE $HOST $FACILITY $PRIORITY $MSG\n")' in
> syslog-ng speak...
Yes, that template thing looks very good to me. I do not fully know how
syslog-ng does it, but it can probably be stretched even further than
done in that implementation.
Rainer
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Mar 15 2004 - 10:01:56 PST