Old/New Nomenclature in Syslog Messages
One important note should be made concerning a common nomenclature that is frequently used within syslog messages. When a change is made to an existing setting, the change is often notated by prefixing the original setting with old _ and the new setting with new _ . The example below demonstrates a display name change. Note that this example message is split into two segments because the amount of data exceeds 1KB.
- Oct 12 14:53:24 example_host BG: 1234:01:02:site=access.example.com;…<data truncated>…event=user_changed;old_username=jsmith;old_display_name=John Smith;old_permissions:suppor
- Oct 12 14:53:24 example_host BG: 1234:02:02:t=1;old_permissions:support:canned_scripts=1;…<data truncated>…new_display_name=John D. Smith
This event shows that the display name was changed. The syslog process takes a snapshot of the user’s current settings and prefixes those settings with old _ . It then takes a snapshot of only the changes that are about to take effect and prefixes those settings with new _ . Because, in this example, only the display _ name setting has been changed, only that setting will have both an old _ entry and a new _ entry. However, all of the other unchanged settings will also be listed, prefixed with old _ .