Question about log differences

Wytze van der Raay wytze at logreport.org
Fri Jul 14 12:16:08 CEST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12.07.2006 22:40, Joost van Baal wrote:
> [Reply-To set to public LogReport Questions List
> <questions at logreport.org>: more people who might be able to help are
> there.]
> 
> Op wo 12 jul 2006 om 02:17:29 -0600 schreef Russel N Miller:
> 
>>To whom it may concern,
>>
>>We have been using the Lire product for some time and everything has been 
>>working great until a new version of syslogd was put on one of our AIX 
>>servers.
>>So now we get no reports with the new log entry shown below.  What do you 
>>recommend we do with our Lire application to make both of these type logs 
>>work and
>>give us a report for both types of maillog output?
>>
>>PLEASE NOTE THE "mail:info"  This is the difference in the report not 
>>being created.
>>
>>1:24 PM) - Jul 11 00:01:02 xxxxxx mail:info sendmail[107380]: 
>>k6B40uRe121358: to=<xxxx at xxxxxx.xxx.xxx.com>, delay=00:00:06, 
>>xdelay=00:00:06, mailer=relay,
>>pri=121157, relay=xxxxxxx.xxx.xxx.com. [1.1.1.1], dsn=2.0.0, stat=Sent 
>>(k6B410ld031994Message accepted for delivery)
>>
>>Here is an example log of one that works.
>>
>>1:26 PM) - Jul 11 00:02:33 xxxxxxxx sendmail[15780]: k6B40Qld015780: 
>>to=<xxxxxxxxx at xxxxxx.xx>, delay=00:00:08, mailer=internet, pri=218669, 
>>stat=queued
> 
> You might want to take a look at Lire::Syslog(3pm) , typically installed
> in /usr/share/perl5/Lire/Syslog.pm .
> 
> Don't have time for more help now.

The current version of Lire tries to guess the syslog format automatically,
but it does so by trying to match the logfile on hand with a limited set of
alternatives. Gradually over time, new variants of syslog enter the market,
and introduce slightly incompatibly formatted line formats. Basically, you
have two options to deal with that:

(a) Use a pre-processing filter before invoking Lire; the filter's job is
    to massage the incompatible format into a Lire-recognized format.
    In this case, something like:
	sed -e 's/ mail:info / /'
    would probably be sufficient.

(b) Add a new entry to the array @syslog_flavours in Lire/Syslog.pm, and
    a corresponding parse routine, which parses the "mail:info" into a
    facility (mail) and level (info), as a variant of parse_bsd_syslog.
    If you do this, please contribute the modified code back to the
    Lire project.

I am somewhat puzzled by the "1:26PM) - " bit shown in your example log
line. This looks like some kind of duplicated time stamp to me, and it
is definitely not recognized or handled by the current Lire software.
So I am wondering whether you perhaps already have some kind of
pre-processing filter in place to take care of those extraneous fields.
In that case it should be very easy to modify that filter to incorporate
the additional filtering suggested above under (a).

Regards,
- -- wytze



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEt27oqs+zhiEbbu8RAn7iAKD1ywfdukCjAHJFg2VLaVMKQwjVHgCfU79J
fMKwI6A9SDPnfKLntXsfWSU=
=uEAc
-----END PGP SIGNATURE-----

-- 
To UNSUBSCRIBE, email to questions-request at logreport.org with a subject of 
"unsubscribe". Trouble? Send an email with subject "help" to 
questions-request at logreport.org

More information about the Questions mailing list