I am running two machines, a relay and a collecter on CentOS 5.2 x64 with 5.2.0 code.
The relay sends logs with this formatting: $template tplSiteID,"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%,mxxx-relay,%msg%" The collectors parses it with this expression: $template percustID,"/var/rsyslog/logs/%msg:F,44:2:%/%hostname%-%programname%.log" Due to bad formatting by client machines running sysklogd, the collector crashes at "repeated messages" lines with this output: -----xxxxxxxxxxxx--------- 7569.669488000:426f7940: msg parser: flags 30, from 'mxxx.abc.corp.com', msg '<30>2009-12-22T16:19:29.668288-08:00 last message,mxxx-relay, repeated 24 times' 7569.669611000:426f7940: Message has legacy syslog format. 7569.669717000:43af9940: hasRcvInBuffer on nsd 0x2aaaac039910: pszRcvBuf (nil), lenRcvBuf 0 7569.669819000:426f7940: Called action, logging to builtin-file 7569.669970000:426f7940: submitBatch: i:0, batch size 1, to process 1, pMsg: 0x2aaaac047070, state 0 7569.670071000:426f7940: ../action.c:736: actionProcessMessage: inside actionProcessMsg() 7569.670152000:426f7940: Action 0x1b378cb0 transitioned to state: itx 7569.670316000:426f7940: entering actionCalldoAction(), state: itx 7569.670414000:426f7940: field requested 2, field found 1 7569.670524000:426f7940: file to log to: percustID 7569.670582000:426f7940: Added new entry 5 for file cache, file '/var/rsyslog/logs/**FIELD NOT FOUND*/last-message,mxxx-relay,.log'. 7569.670628000:426f7940: doWrite, pData->pStrm 0x1b3a5450, lenBuf 76 7569.670733000:426f7940: strm 0x1b3a5450: file -1 flush, buflen 76 7569.670816000:43af9940: hasRcvInBuffer on nsd 0x2aaaac03cbf0: pszRcvBuf (nil), lenRcvBuf 0 7569.670944000:426f7940: strm 0x1b3a5450: open error 2, file '/var/rsyslog/logs/**FIELD NOT FOUND*/last-message,mxxx-relay,.log' 7569.671107000:426f7940: action call returned -2040 7569.671170000:426f7940: Action 0x1b378cb0 transitioned to state: rdy 7569.671277000:43af9940: Segmentation fault (core dumped) -----xxxxxxxxxxxx--------- To patch the situation, I tried to replace "HOSTNAME" with "fromhost" but that also caused crashes. Eventually, I replaced it with "fromhost-ip" as a temporary fix but is there a more elegant solution to take care of errant clients? Happy Holidays and thanks for all the great work, Rainer! Thanks, Siddhartha _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
