Given the following lines in an instance of /etc/rsyslog.conf:
$template MyFmt, "%timereported:::date-year%%timereported:::date-month%%timereported:::date-day%_%timereported:::date-hour%%timereported:::date-minute%%timereported:::date-second% %fromhost-ip% %fromhost% %HOSTNAME% %syslogtag%%programname%%msg:::drop-last-lf%\n"
auth,authpriv.* |/path/to/log;MyFmt
Assume the syslog sender is a compiled C++ program, i.e. something like:
// main.cpp
#include <ctime>
#include <syslog.h>
int main( int argc, char* artv[] )
{
openlog( "LogTest[456]", 0, LOG_AUTH );
syslog( LOG_AUTH | LOG_INFO, "hello, world %zu", size_t( time( NULL ) ) );
closelog();
return 0;
}
Then why might an entry in /var/log/secure have its %syslogtag% and %programname% values "(none)" ? Does it necessarily mean the program would have called "openlog( "(none)", ... );" ?
I tried modifying the above program to pass openlog() first argument values "" (empty string) and NULL. In case of the former, the resulting %syslogtag% value was an empty string, and in case of the latter, the resulting %syslogtag% value was "a.out", i.e. my executable's name. I can't think of what else might result in a value of "(none)" other than explicitly specifying so to openlog()...?
Edit: To be clear: the above example program does not result in a %syslogtag% value of "(none)" - it results in an expected value of "LogTest[456]". My question is more: what would cause a %syslogtag% value of "(none)", other than explicitly specifying so to openlog()?
(I'm trying to understand observed behavior at work: rsyslogd running on a server receives syslogs from clients and writes them in a templated format to a pipe, as above. Some of the written content has a %syslogtag% value of "(none)" - I'd like to understand potential reasons why.)
