>> 14:43:15.483698 88:43:e1:41:15:3f > 00:0c:29:a2:86:f1, ethertype IPv4 >> (0x0800), length 76: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], >> proto: UDP (17), length: 62) 10.167.3.18.514 > 10.167.2.65.514: [udp >> sum ok] SYSLOG, length: 34 >> Facility daemon (3), Severity error (3) >> Msg: last message repeated 5 times\012 >> 0x0000: 3c32 373e 6c61 7374 206d 6573 7361 6765 >> 0x0010: 2072 6570 6561 7465 6420 3520 7469 6d65 >> 0x0020: 730a >> 0x0000: 4500 003e 0000 4000 3f11 210f 0aa7 0312 >> E..>....@.?.!..... >> 0x0010: 0aa7 0241 0202 0202 002a df44 3c32 373e >> ...A.....*.D<27> >> 0x0020: 6c61 7374 206d 6573 7361 6765 2072 6570 >> last.message.rep >> 0x0030: 6561 7465 6420 3520 7469 6d65 730a >> eated.5.times. >> > >the message is totally malformed.
Rainer, Thanks for the reply. I'm no expert on the format I'm afraid but I have looked at the RFC http://tools.ietf.org/search/rfc5424 You're correct that the sender is using sysklogd. Would you be able to tell me how it is malformed? I can see that something (tcpdump?) has parsed the message here:- Facility daemon (3), Severity error (3) Msg: last message repeated 5 times\012 Reading the RFC it says the header should be PRI VERSION SP TIMESTAMP SP HOSTNAME SP APP-NAME SP PROCID SP MSGID Where pri are enclosed in < and > (which is the <27> in the above), followed by a space and then the version, which can be NIL, followed by timestamp (which can also be NIL), followed by hostname (also NIL permitted), APP NAME (also NIL is permitted), PROCID (also NIL permitted), MSGID (also NIL permitted) and then after the header is the actual message. So my understanding of the RFC is that the only field required in the header is <PRI>, which is present. I'm not clear on whether the spaces are required or not or only if the optional fields are present. The only difference I see between the valid packet I sent and this one is that the valid packet has "sshd[7809]:" at the start of the message - is this the APP-NAME field from the header perhaps? I realise from the RFC that many of these fields are listed as SHOULD be provided Thanks. Jon. This email is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this email or any information contained in it. We use reasonable endeavours to virus scan all emails leaving the Company but no warranty is given that this email and any attachments are virus free. You should undertake your own virus checking. The right to monitor email communications through our network is reserved by us. Telindus Limited is a company registered in England and Wales under number 02020395. The registered office is Centurion, Riverside Way, Watchmoor Park, Blackwater Valley Road, Camberley, Surrey, GU15 3YA. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
