Rainer Gerhards wrote: > On Mon, 2009-01-19 at 22:21 +0800, Patrick Shen wrote: >> Ah, so simple. I'm surprised. Could you please recommend which app for >> packet capture? > > Actually, I should have read your mail more careful. You already use > rawmsg, which is the second best thing after the packet capture. But in > this case, you'll see exactly the same thing (if you don't trust me, use > WireShark, an excellent open source capture app). > > Look at this: > > rawmsg: '<171> at > net.netm.me.coim.GenericImportWorker.run(GenericImportWorker.java:47)' > > Compare that the the header that is describe in RFC 3164 and you will > see that there is nothing close to a real header inside that message. As > the message is malformed, funny things can happen. In other words, > results are unpredictable, and this is what you are seeing. > >> And I'd like to share another 2 log examples. >> >> ###################################################################################### >> Debug line with all properties: >> FROMHOST: 'helios', HOSTNAME: 'helios', PRI: 171, >> syslogtag '', programname: '', APP-NAME: '', PROCID: '-', MSGID: '-', >> FACILITY-TEXT: 'local5' >> TIMESTAMP: 'Jan 19 10:13:13', STRUCTURED-DATA: '-', >> msg: ' at >> net.netm.me.coim.GenericImportWorker.run(GenericImportWorker.java:47)' >> rawmsg: '<171> at >> net.netm.me.coim.GenericImportWorker.run(GenericImportWorker.java:47)' >> ###################################################################################### >> >> You could see some *spaces* between '<171>' and 'at net ...'. And HOSTNAME >> propety is "helios". >> >> >> ###################################################################################### >> Debug line with all properties: >> FROMHOST: 'helios', HOSTNAME: 'Caused', PRI: 171, >> syslogtag 'by:', programname: 'by', APP-NAME: 'by', PROCID: '-', MSGID: '-', >> FACILITY-TEXT: 'local5' >> TIMESTAMP: 'Jan 19 10:13:13', STRUCTURED-DATA: '-', >> msg: ' java.sql.BatchUpdateException: Batch entry 0 update item set >> itm_orderid=3722338, itm_masterorderid=0, refOrderId= >> 0, itm_name1=Bach: Weihnachtsoratorium, itm_name2=New London Consort, >> itm_author=NULL, itm_info=/var/APP/ME-utf8/content/ >> import/Universal-ClassicJazz/MusicDataInProgress/2000000338428, >> itm_info2=[NEW][ClassicJazz] [CONTENT-OK][CONTENT-320-OK] >> nullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnulln >> ullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnu >> ll[CHECK-MMC][CHECK-AGAIN], itm_lang=NULL, itm_isrc=NULL, itm_grid=NULL, >> itm_icpn=0028948002795, volume=NULL, track=0, it >> m_pricegroup=1880, itm_providerid=30000, itm_orderidprovider=0, >> itm_pricegroupprovider=1363, itm_itemidprovider=NULL, itm >> _viewable=1, itm_copyrightfree=F, itm_withdrmforwardlock=T, >> externalinfo=NULL, authorizedAge=0, meanEvaluation=0, numEval >> uations=0, licenseprovider_id=2131264, importSt' >> rawmsg: '<171>Caused by: java.sql.BatchUpdateException: Batch entry 0 update >> item set itm_orderid=3722338, itm_masterorde >> rid=0, refOrderId=0, itm_name1=Bach: Weihnachtsoratorium, itm_name2=New >> London Consort, itm_author=NULL, itm_info=/var/AP >> P/ME-utf8/content/import/Universal-ClassicJazz/MusicDataInProgress/2000000338428, >> itm_info2=[NEW][ClassicJazz] [CONTENT-O >> K][CONTENT-320-OK]nullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnul >> lnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnull >> nullnullnullnullnull[CHECK-MMC][CHECK-AGAIN], itm_lang=NULL, itm_isrc=NULL, >> itm_grid=NULL, itm_icpn=0028948002795, volume >> =NULL, track=0, itm_pricegroup=1880, itm_providerid=30000, >> itm_orderidprovider=0, itm_pricegroupprovider=1363, itm_itemid >> provider=NULL, itm_viewable=1, itm_copyrightfree=F, >> itm_withdrmforwardlock=T, externalinfo=NULL, authorizedAge=0, meanEva >> luation=0, numEvaluations=0, licenseprovider_id=2131264, importSt' >> ###################################################################################### >> >> But in above example: >> Word 'Caused' is between '<171>' and 'by ...'. So the HOSTNAME is >> accidentally set to 'Caused'. >> >> I'm wondering if it's a coincidence that if spaces exist between <PRI> and >> messages in rawmsg and hostname is not provided, >> then HOSTNAME will be set correctly? > > that's probably the case with current code, but I don't guarantee that > will stay. Again: invalid format => unpredictable results on all header > fields
OK, now I see the malformed format messages will cause unpredictable results in rsyslog. That's quite helpful. >> >> And I thought I could use 'FROMHOST' property, but I have another scenario. >> >> ###################################################################################### >> Debug line with all properties: >> FROMHOST: '172.20.101.6', HOSTNAME: 'icarus', PRI: 174, >> syslogtag 'httpd8330.sms:', programname: 'httpd8330.sms', APP-NAME: >> 'httpd8330.sms', PROCID: '-', MSGID: '-', FACILITY-TEXT: 'local5' >> TIMESTAMP: 'Jan 19 15:14:50', STRUCTURED-DATA: '-', >> msg: ' xxx.xxx.internal - - [19/Jan/2009:15:14:50 +0100] "GET >> /itransport/mbg/mbg/io/mbg?provider=TMOBILE_XTC_3ABO_LIVE&request-type=chargeSubscription&critialdata&originator-id=PGW_6686//S0002865748&service-type=web&payment-type=subscr&amount=299&subscription-amount=299&item-amount=299&msisdn=00491704127650&subscription-id=1662126457&subscription-type=2&reply-path=http://pgw:8330/sms/pgw/intern/ReportReception&sms-text=Dein+Abo+wurde+mit+2.99+Euro+gebucht. >> HTTP/1.1" 200 87#012' >> rawmsg: '<174>2009-01-19T15:14:50.923441+01:00 icarus httpd8330.sms: >> xxx.xxx.internal - - [19/Jan/2009:15:14:50 +0100] "GET >> /itransport/mbg/mbg/io/mbg?provider=TMOBILE_XTC_3ABO_LIVE&request-type=chargeSubscription&critialdata&originator-id=PGW_6686//S0002865748&service-type=web&payment-type=subscr&amount=299&subscription-amount=299&item-amount=299&msisdn=00491704127650&subscription-id=1662126457&subscription-type=2&reply-path=http://pgw:8330/sms/pgw/intern/ReportReception&sms-text=Dein+Abo+wurde+mit+2.99+Euro+gebucht. >> HTTP/1.1" 200 87#012' >> ###################################################################################### >> > that's a correctly formatted message > >> You could see in HOSTNAME field, it's correct set to 'icarus'. But in >> FROMHOST field is ip address. >> And I do have reverse zone for that ip in dns setting. Any ideas? > > To get the name, you indeed need to enable remote lookups. One solution > would be to permit different settings for different remote hosts, but > that would be a feature request. Would make sense, but I am currently > rather busy. If you add it to the bugzilla http://bugzilla.adiscon.com > I'll see that I implement it when nothing of higher priority is in front > of it. I've filed a bugzilla report [1] for your information. Anyway, one more question, if I use rsyslog at the client side, will it avoid malformed/invalid format message sending out? [1]: http://bugzilla.adiscon.com/show_bug.cgi?id=116 Thanks a lot for your help, Patrick _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
