On Tue, 22 Dec 2009, Siddhartha Jain wrote: > I am running two machines, a relay and a collecter on CentOS 5.2 x64 > with 5.2.0 code.
5.2.0 has many known (and fixed in later versions) problems. it really should not be used at this point (can someone from adiscon make a note on the download page for it?) unfortunantly none of the later 5.x versions have been promoted to stable, but you really are better off with the latest devel (5.5.1 at this point) rather than 5.2.0 David Lang > The relay sends logs with this formatting: > $template tplSiteID,"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% > %syslogtag:1:32%,mxxx-relay,%msg%" > > The collectors parses it with this expression: > $template > percustID,"/var/rsyslog/logs/%msg:F,44:2:%/%hostname%-%programname%.log" > > Due to bad formatting by client machines running sysklogd, the collector > crashes at "repeated messages" lines with this output: > -----xxxxxxxxxxxx--------- > 7569.669488000:426f7940: msg parser: flags 30, from 'mxxx.abc.corp.com', > msg '<30>2009-12-22T16:19:29.668288-08:00 last message,mxxx-relay, > repeated 24 times' > 7569.669611000:426f7940: Message has legacy syslog format. > 7569.669717000:43af9940: hasRcvInBuffer on nsd 0x2aaaac039910: pszRcvBuf > (nil), lenRcvBuf 0 > 7569.669819000:426f7940: Called action, logging to builtin-file > 7569.669970000:426f7940: submitBatch: i:0, batch size 1, to process 1, > pMsg: 0x2aaaac047070, state 0 > 7569.670071000:426f7940: ../action.c:736: actionProcessMessage: inside > actionProcessMsg() > 7569.670152000:426f7940: Action 0x1b378cb0 transitioned to state: itx > 7569.670316000:426f7940: entering actionCalldoAction(), state: itx > 7569.670414000:426f7940: field requested 2, field found 1 > 7569.670524000:426f7940: file to log to: percustID > 7569.670582000:426f7940: Added new entry 5 for file cache, file > '/var/rsyslog/logs/**FIELD NOT FOUND*/last-message,mxxx-relay,.log'. > 7569.670628000:426f7940: doWrite, pData->pStrm 0x1b3a5450, lenBuf 76 > 7569.670733000:426f7940: strm 0x1b3a5450: file -1 flush, buflen 76 > 7569.670816000:43af9940: hasRcvInBuffer on nsd 0x2aaaac03cbf0: pszRcvBuf > (nil), lenRcvBuf 0 > 7569.670944000:426f7940: strm 0x1b3a5450: open error 2, file > '/var/rsyslog/logs/**FIELD NOT FOUND*/last-message,mxxx-relay,.log' > 7569.671107000:426f7940: action call returned -2040 > 7569.671170000:426f7940: Action 0x1b378cb0 transitioned to state: rdy > 7569.671277000:43af9940: Segmentation fault (core dumped) > -----xxxxxxxxxxxx--------- > > To patch the situation, I tried to replace "HOSTNAME" with "fromhost" > but that also caused crashes. Eventually, I replaced it with > "fromhost-ip" as a temporary fix but is there a more elegant solution to > take care of errant clients? > > > Happy Holidays and thanks for all the great work, Rainer! > > > > Thanks, > > Siddhartha > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
