On Tue, 21 Dec 2010, ward.p.fonte...@wellsfargo.com wrote:
Hi,
I have a question about formatting - I'm certain I've simply overlooked
something fairly simple
I currently use syslog-ng on a linux central syslog server and have linux,
solaris and Windows reporting to it just fine. We are building the replacement
for this aging syslog-ng server and will be using rsyslog. My question is what
can be causing the formatting between the linux and windows clients to be
different. Syslog-ng didn't present these differences.
Here is a log snippet for a linux machine and a Win32 machine
Win32:
Dec 21 11:48:30 Tue Dec 21 11:47:36 2010: MONITOR1P/Security (520) - "blah blah"
Linux:
Dec 21 11:50:02 oracle1p crond[26200]: (root) CMD (/usr/lib/sa/sa1 1 1)
Why would there be two timestamps on the Win32 machine? The only difference is
the change from syslog-ng to rsyslog.
the reason is that the timestamp that was sent was "Tue Dec 21 11:47:36
2010:", which is not a valid syslog format.
As a result, rsyslog creates it's own timestamp.
unfortunantly rsyslog can't tell that "Tue" isn't a valid hostname, so it
uses that for the hostname and "Dec" for the syslog tag (program name)
what application is sending this message? is there a way to have it
reformat the message?
there are various things that you can do in rsyslog to clean this up
(create a special parser module, creat a suxtom format), but it's cleaner
to fix this at the source if you can.
a good thing to do in this sort of situation is to create a log where you
log with the format %rawmsg% (or use the RSYSLOG_DEBUG format) to see what
you are actually getting over the wire.
David Lang
Thanks in advance for any help on this matter.
Enterprise Key Management & Public Key Infrastructure | EKM/PKI Engineering Team
1305 W 23rd Street | Tempe, AZ 85282
MAC S4003-018
Tel 480-437-7795 | Cell 480-788-0730
ward.p.fonte...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are
not the addressee or authorized to receive this for the addressee, you must not
use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you for
your cooperation.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com