On 08/10/2011 12:43 PM, Klaus Ethgen wrote: > The solution of #609780 breaks all log analysing tools.
First, it most certainly does not break "all" log analyzing tools. Most notably, logcheck works fine with this solution. Please provide some specific examples of such tools so that we may better form our opinion. If it really breaks a lot of tools we might revert it. > More over it makes no sense to log the PID twice in the logs. > > In logfiles the PID is expected direct behind the binary and is recorded > by the syslog (The PID is part of syslog protocol). Putting the same PID > in the message do not only add redundancy that is not needed, it breaks > other tools too as log analysing tools or intrusion detection systems. The reason #609780 was re-opened is precisely because it is *not* the same PID twice. The start message "CMD" is logged by the fork()ed child before it exec()s, the end message "END" by the parent. Therefore the syslog PID is always at least off-by-one. One possible solution could be to keep the CMD message as pre-119, and only add the PID fix to END messages, since these are 1) a Debian extension and 2) disabled by default. Regards, Christian
signature.asc
Description: OpenPGP digital signature

