0

I can not understand what I'm missing in this syslog-ng filter. First of all this is the log message:

<22>Nov 3 09:57:44 logon avaya: 2015/11/03 09:57:44,00:00:01,1,0,103456456156,I,#AA:Poa,1231231123231,,0,1017121,0,T9002,Line 2.1,V9542,VM Channel 42,0,0,,,,,,,,,,,,,

and this is the filter on syslog-ng configuration:

filter f_avaya{
        program("avaya");
};

Running syslog-ng in debug mode I saw that that message do not match the filter, why?

Tobia
  • 9,165
  • 28
  • 114
  • 219
  • Hi, probably the message header is not parsed properly for some reason. – Robert Fekete Nov 03 '15 at 09:28
  • For sure, but it seems to me a valid format... – Tobia Nov 03 '15 at 09:34
  • If you have a recent syslog-ng version, you can try to output the message in JSON to see every macro, or just create a template with the macros of the message header to see what goes wrong. Or is it possible that the source has the flags(no-parse) set? – Robert Fekete Nov 03 '15 at 09:37
  • I want to use raw message without parse, I also try to remove the space of the very first field (the date) of the message, but the problem still happends. – Tobia Nov 03 '15 at 10:19

2 Answers2

0

The sad answer is: the date format of the day with filling 0 when the day is less then 10.

<22>Nov 3 09:57:44...

shoud be:

<22>Nov 03 09:57:44...
Tobia
  • 9,165
  • 28
  • 114
  • 219
  • Well, you can submit an issue about this at https://github.com/balabit/syslog-ng/issues Alternatively, in syslog-ng OSE 3.7, you can write custom parsers in Python, but it is not really documented yet (I hope to do it in a week or two). Until then, this blogpost can give you some pointers: https://guest.blogs.balabit.com/2015/09/processing-log-messages-with-python-in-syslog-ng/ – Robert Fekete Nov 03 '15 at 10:40
  • Fortunately I can change it from the log source, and I don't know if it is really an issue of syslog-ng, maybe the date format should be filled with 0 in the day date part... I don't know. – Tobia Nov 03 '15 at 10:42
  • The RFC specifies the date format so that a space is required in front of days if they are less than 10. This is to ensure the timestamp has the same length regardless whether we are in the first 10 days of the month or not. This is not a bug in syslog-ng per se, confusing still. – bazsi77 Dec 16 '21 at 19:59
0

Your message is invalid because the process ID is missing from the header:

<22>Nov 3 09:57:44 logon avaya:

Should look like this if you don't have an ID

<22>Nov 3 09:57:44 logon avaya[0]:
Tav
  • 336
  • 1
  • 6