[email protected] <[email protected]> [13:07:11 21:27] wrote:
> On Wed, 13 Jul 2011, Andreas Grosse wrote:
>> Unfortunately, in both cases the result is the same. It looks to me like
>> the imuxsock plugin fails to correctly handle the incoming message
>> format; date stamps are duplicated, and the fields which are supposed to
>> contain application name and pid only contain dashes.
>
> do you have an example of the output that's the problem?
Hi David,
thanks for the response.
Actually, the first two log lines I wrote are an example for this, but
probably a bad example because exim has it's own timestamps in the message
part of the log line which adds to confusion:
"<22>1 2011-07-12T17:12:00+02:00 agrdevel2 agrdevel2 - - -
exim-out[27081]: 2011-07-12 17:12:00 Start queue run: pid=27081\n"
"<22>1 2011-07-12T17:12:00+02:00 agrdevel2 agrdevel2 - - -
exim-out[27081]: 2011-07-12 17:12:00 End queue run: pid=27081\n"
The problem is that the dashes are the places where the program name and
pid should be, but imuxsock fails to correctly parse the input data,
prepends it's own date/hostname header and puts everything in the
message part.
As Rainer explained, imuxsock only supports the syslog() API format.
This put me in the right direction yesterday, and as I found out it is
possible to tell syslog-ng to log in simple format by just using
template("<$PRI> $MSGHDR$MSG") as an option in the syslog-ng.conf for the
socket output. This seems to work well so far.
> personally, I would use networking over localhost for multiple syslog
> daemons on the same box to talk to each other.
I was just trying to avoid the network overhead by using a socket. Is
there a reason why you would prefer networking for this?
Best regards,
Andreas
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
