Thanks for that note, David. I will put 5.5.1 through our test environment.
- Siddhartha > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of [email protected] > Sent: Tuesday, December 22, 2009 9:38 PM > To: rsyslog-users > Subject: Re: [rsyslog] "Field not Found" crash > > On Tue, 22 Dec 2009, Siddhartha Jain wrote: > > > I am running two machines, a relay and a collecter on CentOS 5.2 x64 > > with 5.2.0 code. > > 5.2.0 has many known (and fixed in later versions) problems. it really > should not be used at this point (can someone from adiscon make a note > on > the download page for it?) > > unfortunantly none of the later 5.x versions have been promoted to > stable, > but you really are better off with the latest devel (5.5.1 at this > point) > rather than 5.2.0 > > David Lang > > > The relay sends logs with this formatting: > > $template tplSiteID,"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% > > %syslogtag:1:32%,mxxx-relay,%msg%" > > > > The collectors parses it with this expression: > > $template > > percustID,"/var/rsyslog/logs/%msg:F,44:2:%/%hostname%- > %programname%.log" > > > > Due to bad formatting by client machines running sysklogd, the > collector > > crashes at "repeated messages" lines with this output: > > -----xxxxxxxxxxxx--------- > > 7569.669488000:426f7940: msg parser: flags 30, from > 'mxxx.abc.corp.com', > > msg '<30>2009-12-22T16:19:29.668288-08:00 last message,mxxx-relay, > > repeated 24 times' > > 7569.669611000:426f7940: Message has legacy syslog format. > > 7569.669717000:43af9940: hasRcvInBuffer on nsd 0x2aaaac039910: > pszRcvBuf > > (nil), lenRcvBuf 0 > > 7569.669819000:426f7940: Called action, logging to builtin-file > > 7569.669970000:426f7940: submitBatch: i:0, batch size 1, to process > 1, > > pMsg: 0x2aaaac047070, state 0 > > 7569.670071000:426f7940: ../action.c:736: actionProcessMessage: > inside > > actionProcessMsg() > > 7569.670152000:426f7940: Action 0x1b378cb0 transitioned to state: itx > > 7569.670316000:426f7940: entering actionCalldoAction(), state: itx > > 7569.670414000:426f7940: field requested 2, field found 1 > > 7569.670524000:426f7940: file to log to: percustID > > 7569.670582000:426f7940: Added new entry 5 for file cache, file > > '/var/rsyslog/logs/**FIELD NOT FOUND*/last-message,mxxx-relay,.log'. > > 7569.670628000:426f7940: doWrite, pData->pStrm 0x1b3a5450, lenBuf 76 > > 7569.670733000:426f7940: strm 0x1b3a5450: file -1 flush, buflen 76 > > 7569.670816000:43af9940: hasRcvInBuffer on nsd 0x2aaaac03cbf0: > pszRcvBuf > > (nil), lenRcvBuf 0 > > 7569.670944000:426f7940: strm 0x1b3a5450: open error 2, file > > '/var/rsyslog/logs/**FIELD NOT FOUND*/last-message,mxxx-relay,.log' > > 7569.671107000:426f7940: action call returned -2040 > > 7569.671170000:426f7940: Action 0x1b378cb0 transitioned to state: rdy > > 7569.671277000:43af9940: Segmentation fault (core dumped) > > -----xxxxxxxxxxxx--------- > > > > To patch the situation, I tried to replace "HOSTNAME" with "fromhost" > > but that also caused crashes. Eventually, I replaced it with > > "fromhost-ip" as a temporary fix but is there a more elegant solution > to > > take care of errant clients? > > > > > > Happy Holidays and thanks for all the great work, Rainer! > > > > > > > > Thanks, > > > > Siddhartha > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
