From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1N5lbQ-0007cb-OW for garchives@archives.gentoo.org; Wed, 04 Nov 2009 19:33:10 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C17C4E09FC; Wed, 4 Nov 2009 19:33:07 +0000 (UTC) Received: from lists.balabit.hu (support.balabit.hu [195.70.41.86]) by pigeon.gentoo.org (Postfix) with ESMTP id 77958E09FC for ; Wed, 4 Nov 2009 19:33:07 +0000 (UTC) Received: from balabit.hu (unknown [10.80.0.254]) by lists.balabit.hu (Postfix) with ESMTP id 0CB6E11E1AF for ; Wed, 4 Nov 2009 20:33:06 +0100 (CET) Message-ID: <20091104203300.mtynbvjaioggskww@webmail.balabit> Date: Wed, 04 Nov 2009 20:33:00 +0100 From: frobert@balabit.hu To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: syslog-ng: v2->v3 config issue... References: <4AF15022.10701@balabit.hu> <4AF1B9E4.8060003@gmail.com> In-Reply-To: <4AF1B9E4.8060003@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable X-Archives-Salt: bda09b73-e698-4a8a-a003-770fb4d65a42 X-Archives-Hash: 1dc7ca1cb5641179cf78024356a601d2 Hi Jarry, thanks for the detailed info. I have discussed the issue with my =20 colleagues, and it seems that the error is on our side: there was a =20 performance-related change in the program-override option in 3.0.4, =20 which broke the function. So you can either downgrade to an older version (3.0.3 should work), =20 or if you want to stick to 3.0.4, you can try to add a rewrite rule to =20 set the PROGRAM field to teamspeak (which may or may not work in this =20 case, since the program field seems to be empty in the message - =20 sorry, I haven't had the time to test it). Alternatively, you can create a template for this destination and =20 rebuild the message from macros and add a default value for program =20 ($ISODATE $HOST ${PROGRAM:-teamspeak2} $MESSAGE) I hope one of these will work for you. Regards, Robert Quoting Jarry : > Fekete Robert wrote: >> You are right, the program-override option is missing from the >> documentation of the file source, but it should work anyway. >> We did a quick test and it was working on our Ubuntu machines (tested >> with syslog-ng 3.02a), both on kernel messages and also on custom >> files containing log messages. > > Well, I'm not sure where is the problem. I'm using syslog-ng-3.0.4 > (the last stable version in portage). This is relevant part of my > "new" /etc/syslog-ng.conf: > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > options { chain_hostnames(no); > stats_freq(3600); > ts_format(iso); > flush_lines(1); > log_fifo_size(250); }; > > source s_teamspeak { file("/var/log/teamspeak2-server/server.log" > flags(store-legacy-msghdr) > program_override("teamspeak: ") > log_fetch_limit(100) > flags(no-parse)); }; > > destination d_teamspeak { file("/var/log/ts2.log"); }; > log { source(s_teamspeak); destination(d_teamspeak); }; > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D > > One line in source (/var/log/teamspeak-server/server.log): > 04-11-09 16:52:54,ALL,Info... (etc) > > Corresponding line in /var/log/ts2.log (that program_override() > is simply missing): > 2009-11-04T16:52:54+00:00 talk 04-11-09 16:52:54,ALL,Info... > > For comparison, the same part of my syslog-ng v2.x config: > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D > options { chain_hostnames(off); > sync(0); > stats(43200); > ts_format(iso); }; > > source s_teamspeak2 { file("/var/log/teamspeak2-server/server.log" > log_prefix("teamspeak2: ") > follow_freq(1) > flags(no-parse)); }; > > destination d_teamspeak { file("/var/log/ts2.log"); }; > log { source(s_teamspeak); destination(d_teamspeak); }; > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > > And this is what I got in ts2.log with syslog-ng v2.x: > > 2009-09-25T18:17:41+00:00 talk teamspeak2: 28-07-09 18:49:39,ALL,Info... > > You see the difference? > syslog-ng 2.x: "iso-time hostname *log_prefix* message" > syslog-ng 3.x: "iso-time hostname message" > Where is program_override? > > v2/v3 config-files are now not absolutely the same but even when > I made them identical (removed fifo_size, fetch_limit, flags, etc) > I still had this problem. And I observed this strange behavior > not only with this particular file() source, but with all file() > sources. So what could be the reason? > > Jarry > > --=20 > _______________________________________________________________ > This mailbox accepts e-mails only from selected mailing-lists! > Everything else is considered to be spam and therefore deleted. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.