On Fri, 6 Mar 2009, Rainer Gerhards wrote: > That's why I am after the log samples :) I just termed a new acronym > this afternoon: > YAMSF - yet another malformed syslog format ;) > > http://blog.gerhards.net/2009/02/calling-for-log-samples.html > > I try hard to get the fields right, but often this is impossible, > resulting in the issues you see.
these logs come from several different servers, including different OSs, but all are misparsed by rsyslog. I am not seeing anything obviously wrong with them <167>Mar 6 16:57:54 172.20.245.8 %PIX-7-710005: UDP request discarded from SERVER1/2741 to test_app:255.255.255.255/61601 <29>Mar 6 16:57:54 methane1d-b plug-gw[25213]: connect host= /192.168.243.37 destination=179.50.100.130/60029 <29>Mar 6 16:57:54 methane1a-b plug-gw[29368]: disconnect host= /192.168.242.119 destination=179.50.100.52/14733 in=357 out=71 duration=1 <29>Mar 6 16:57:54 happy1-b plug-gw[30259]: connect host= /192.168.22.8 destination=192.168.104.31/5667 <22>Mar 6 16:57:54 192.168.242.66 sendmail[13328]: n270vrSH013326: to=<[email protected]>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=37052, relay=mx1.hotmail.com. [65.54.244.8], dsn=2.0.0, stat=Sent ( <[email protected]> Queued mail for delivery) <29>Mar 6 16:57:54 corpmail1-p netacl[3839]: permit host= /10.201.7.120 service=telnetd execute=/usr/local/etc/tn-gw David Lang > Rainer > >> -----Original Message----- >> From: [email protected] [mailto:rsyslog- >> [email protected]] On Behalf Of [email protected] >> Sent: Friday, March 06, 2009 7:54 PM >> To: rsyslog-users >> Subject: Re: [rsyslog] properties not getting filled in correctly >> >> On Fri, 6 Mar 2009, [email protected] wrote: >> >>> I'm running into problems trying to do filtering. it looks as if the >> log >>> parsing is not properly filling in the properties. >>> >>> what I've run into so far >>> >>> when I use the property 'programname' the content that I see is what >> I would >>> expect in 'hostname' >>> >>> when I use the property 'hostname' the content that I see is what I >> would >>> expect in 'fromhost' >>> >>> I haven't checked all the other properties, but my guess is that >> somehow >>> rsyslog is off-by-one in filling them in. >> >> having said this, date, fromhost, and from-ip appear to be filled in >> correctly. >> >> David Lang >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
