I see from a previous post
(http://lists.adiscon.net/pipermail/rsyslog/2010-February/003416.html) that
this has come up before but there was no answer previously.
I have rsyslogd (the latest, version 5.4) installed and running on a host
configured to accept remote syslog messages. I have another server configured
to send it's syslog messages to the host running rsyslog. I have rsyslog
configured to store its entries in a MySQL database using the supplied rsyslog
MySQL module.
What I find is that most of the messages come through as expected. For example:-
*************************** 3. row ***************************
ID: 163941
CustomerID: NULL
ReceivedAt: 2010-07-12 14:42:38
DeviceReportedTime: 2010-07-12 14:42:38
Facility: 10
Priority: 6
FromHost: 10.167.3.18
Message: pam_unix(sshd:session): session closed for user root
NTSeverity: NULL
Importance: NULL
EventSource: NULL
EventUser: NULL
EventCategory: NULL
EventID: NULL
EventBinaryData: NULL
MaxAvailable: NULL
CurrUsage: NULL
MinUsage: NULL
MaxUsage: NULL
InfoUnitID: 1
SysLogTag: sshd[7809]:
EventLogType: NULL
GenericFileName: NULL
SystemID: NULL
However each time I get a "Last message repeated X times" message I see
corrupted entries in the database:-
*************************** 2. row ***************************
ID: 163942
CustomerID: NULL
ReceivedAt: 2010-07-12 14:43:15
DeviceReportedTime: 2010-07-12 14:43:15
Facility: 3
Priority: 3
FromHost: last
Message: repeated 5 times
NTSeverity: NULL
Importance: NULL
EventSource: NULL
EventUser: NULL
EventCategory: NULL
EventID: NULL
EventBinaryData: NULL
MaxAvailable: NULL
CurrUsage: NULL
MinUsage: NULL
MaxUsage: NULL
InfoUnitID: 1
SysLogTag: message
EventLogType: NULL
GenericFileName: NULL
SystemID: NULL
You can see that the message text has been incorrectly split across the fields
message, FromHost and SysLogTag.
I have run a tcpdump and here are the two relevant packets:-
14:42:38.985098 88:43:e1:41:15:3f > 00:0c:29:a2:86:f1, ethertype IPv4 (0x0800),
length 111: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto: UDP (17),
length: 97) 10.167.3.18.514 > 10.167.2.65.514: [udp sum ok] SYSLOG, length: 69
Facility authpriv (10), Severity info (6)
Msg: sshd[7809]: pam_unix(sshd:session): session closed for user
root\012
0x0000: 3c38 363e 7373 6864 5b37 3830 395d 3a20
0x0010: 7061 6d5f 756e 6978 2873 7368 643a 7365
0x0020: 7373 696f 6e29 3a20 7365 7373 696f 6e20
0x0030: 636c 6f73 6564 2066 6f72 2075 7365 7220
0x0040: 726f 6f74 0a
0x0000: 4500 0061 0000 4000 3f11 20ec 0aa7 0312 e.....@.?.......
0x0010: 0aa7 0241 0202 0202 004d 5dc8 3c38 363e ...A.....M].<86>
0x0020: 7373 6864 5b37 3830 395d 3a20 7061 6d5f sshd[7809]:.pam_
0x0030: 756e 6978 2873 7368 643a 7365 7373 696f unix(sshd:sessio
0x0040: 6e29 3a20 7365 7373 696f 6e20 636c 6f73 n):.session.clos
0x0050: 6564 2066 6f72 2075 7365 7220 726f 6f74 ed.for.user.root
0x0060: 0a .
14:43:15.483698 88:43:e1:41:15:3f > 00:0c:29:a2:86:f1, ethertype IPv4 (0x0800),
length 76: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto: UDP (17),
length: 62) 10.167.3.18.514 > 10.167.2.65.514: [udp sum ok] SYSLOG, length: 34
Facility daemon (3), Severity error (3)
Msg: last message repeated 5 times\012
0x0000: 3c32 373e 6c61 7374 206d 6573 7361 6765
0x0010: 2072 6570 6561 7465 6420 3520 7469 6d65
0x0020: 730a
0x0000: 4500 003e 0000 4000 3f11 210f 0aa7 0312 E..>....@.?.!.....
0x0010: 0aa7 0241 0202 0202 002a df44 3c32 373e ...A.....*.D<27>
0x0020: 6c61 7374 206d 6573 7361 6765 2072 6570 last.message.rep
0x0030: 6561 7465 6420 3520 7469 6d65 730a eated.5.times.
In both cases it seems to me that the IP address of the sender has been
included in the packet (0a a7 03 12) which translates as the IP 10.167.3.18
which is the sender.
Is this an rsyslog issue? Is it a known problem?
Thanks.
Jon.
This email is private and may be confidential and is for the intended recipient
only. If misdirected, please notify us by telephone and confirm that it has
been deleted from your system and any copies destroyed. If you are not the
intended recipient you are strictly prohibited from using, printing, copying,
distributing or disseminating this email or any information contained in it. We
use reasonable endeavours to virus scan all emails leaving the Company but no
warranty is given that this email and any attachments are virus free. You
should undertake your own virus checking. The right to monitor email
communications through our network is reserved by us.
Telindus Limited is a company registered in England and Wales under number
02020395. The registered office is Centurion, Riverside Way, Watchmoor Park,
Blackwater Valley Road, Camberley, Surrey, GU15 3YA.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
