Hi all, Recently I encountered a weird problem. Let me explain below:
I've a client which is using traditional syslog (NOT rsyslog) app for storing and forwarding logs to loghost. Here are some "snmpd" logs for example: ########################################################################################## Jan 19 10:03:09 athos snmpd[1104]: Connection from UDP: [192.168.23.7]:34289 Jan 19 10:03:09 athos snmpd[1104]: Received SNMP packet(s) from UDP: [192.168.23.7]:34289 Jan 19 10:04:10 athos snmpd[1104]: Connection from UDP: [192.168.23.7]:58181 Jan 19 10:04:10 athos snmpd[1104]: Received SNMP packet(s) from UDP: [192.168.23.7]:58181 Jan 19 10:04:10 athos snmpd[1104]: Connection from UDP: [192.168.23.7]:58181 *Jan 19 10:04:10 athos last message repeated 25 times* ########################################################################################## Please take into account the last line. And I've a loghost host for receiving by using rsyslog v3.20.2 and used following dynamic templates to store logs ########################################################################################## $template d_hosts,"/var/rsyslog/HOSTS/%hostname%/%$year%/%$month%/%syslogfacility-text%_%hostname%_%$year%_%$month%_%$day%.log" ########################################################################################## and also opened debug template by following configures in rsyslog.conf. ########################################################################################## $template DEBUG,"Debug line with all properties:\nFROMHOST: '%FROMHOST%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%', APP-NAME: '%APP-NAME%', PROCID: '%PROCID%', MSGID: '%MSGID%', FACILITY-TEXT: '%syslogfacility-text%'\nTIMESTAMP: '%TIMESTAMP%', STRUCTURED-DATA: '%STRUCTURED-DATA%',\nmsg: '%msg%'\nrawmsg: '%rawmsg%'\n\n" *.* -/var/rsyslog/debug;DEBUG # or whatever file you like ########################################################################################## I'm monitoring on the server-side now, and checking the last line by raw message. ########################################################################################## Debug line with all properties: FROMHOST: 'athos', HOSTNAME: '*last*', PRI: 30, syslogtag 'message', programname: 'message', APP-NAME: 'message', PROCID: '-', MSGID: '-', FACILITY-TEXT: 'daemon' TIMESTAMP: 'Jan 19 09:59:09', STRUCTURED-DATA: '-', msg: ' repeated 25 times' rawmsg: '<30>last message repeated 25 times' ########################################################################################## Does anyone has any idea why HOSTNAME property is 'last'? (The timestamp is not important, because these messages occur often). Thanks, Patrick _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
