On Thu, Oct 8, 2009 at 13:10, Dag Wieers <[email protected]> wrote: > We have been looking at why we don't see messages from netconsole ending > up in our logfiles. netconsole is a kernel module that sends information > of kernel panics to a syslog server. The documentation indicates it should > work with syslog as an endpoint but that is not true with rsyslog, > apparently :)
Mostly because said syslog daemons are not only very loose in their interpretation of a valid syslog entry, but in their default configurations they also tend to silently interpolate data sloppy senders leave out. > Also, I have noticed that our central rsyslog-server (more than 400 > systems log to it) have directories with names like: Detected/, exiting/, > ext3_abort/, EXT3-fs/, journal/, last/, martian/, program/, Remounting/, > Restarting/, ... So it is obvious that something is not working as > expected coming from the kernel. More than likely because you're trying to make directories based on the %hostname% property, which rsyslog assumes is a specific field. With the sloppier daemons (FreeBSD in particular), I've had far more luck using the %fromhost-ip% property (as well as the $ system properties for timestamps). Of course, that breaks down if you're doing relaying, but relying on values the other end sends you to create filesystem artifacts is dangerous at best anyway > but of course I cannot influence our production kernels to do the right > thing. What can I do to have rsyslog accept the "wrong" thing ? :) Use %fromhost% or %fromhost-ip% to make the directory structures/filenames, and make a custom format if you need to handle the remaning lack of data (again, timestamp & host). I'm sure there are many other ways to approach it, but that's the way I've solved it. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
