> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Jon Combe > Sent: Monday, July 12, 2010 5:19 PM > To: rsyslog-users > Subject: Re: [rsyslog] Last message repeated n times problem > > >> 14:43:15.483698 88:43:e1:41:15:3f > 00:0c:29:a2:86:f1, ethertype > IPv4 > >> (0x0800), length 76: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], > >> proto: UDP (17), length: 62) 10.167.3.18.514 > 10.167.2.65.514: [udp > >> sum ok] SYSLOG, length: 34 > >> Facility daemon (3), Severity error (3) > >> Msg: last message repeated 5 times\012 > >> 0x0000: 3c32 373e 6c61 7374 206d 6573 7361 6765 > >> 0x0010: 2072 6570 6561 7465 6420 3520 7469 6d65 > >> 0x0020: 730a > >> 0x0000: 4500 003e 0000 4000 3f11 210f 0aa7 0312 > >> E..>....@.?.!..... > >> 0x0010: 0aa7 0241 0202 0202 002a df44 3c32 373e > >> ...A.....*.D<27> > >> 0x0020: 6c61 7374 206d 6573 7361 6765 2072 6570 > >> last.message.rep > >> 0x0030: 6561 7465 6420 3520 7469 6d65 730a > >> eated.5.times. > >> > > > >the message is totally malformed. > > Rainer, > > Thanks for the reply. > > I'm no expert on the format I'm afraid but I have looked at the RFC > http://tools.ietf.org/search/rfc5424 > > You're correct that the sender is using sysklogd. Would you be able to > tell me how it is malformed? I can see that something (tcpdump?) has > parsed the message here:- > > Facility daemon (3), Severity error (3) > Msg: last message repeated 5 times\012 > > Reading the RFC it says the header should be > > PRI VERSION SP TIMESTAMP SP HOSTNAME SP APP-NAME SP PROCID SP MSGID > > Where pri are enclosed in < and > (which is the <27> in the above), > followed by a space and then the version, which can be NIL, followed by > timestamp (which can also be NIL), followed by hostname (also NIL > permitted), APP NAME (also NIL is permitted), PROCID (also NIL > permitted), MSGID (also NIL permitted) and then after the header is the > actual message. > > So my understanding of the RFC is that the only field required in the > header is <PRI>, which is present. I'm not clear on whether the spaces > are required or not or only if the optional fields are present.
Spaces are required, VERSION can not be NILVALUE and NILVALUE is defined as "-". ;) Rainer > > The only difference I see between the valid packet I sent and this one > is that the valid packet has "sshd[7809]:" at the start of the message > - is this the APP-NAME field from the header perhaps? I realise from > the RFC that many of these fields are listed as SHOULD be provided > > Thanks. > Jon. > > This email is private and may be confidential and is for the intended > recipient only. If misdirected, please notify us by telephone and > confirm that it has been deleted from your system and any copies > destroyed. If you are not the intended recipient you are strictly > prohibited from using, printing, copying, distributing or disseminating > this email or any information contained in it. We use reasonable > endeavours to virus scan all emails leaving the Company but no warranty > is given that this email and any attachments are virus free. You should > undertake your own virus checking. The right to monitor email > communications through our network is reserved by us. > > Telindus Limited is a company registered in England and Wales under > number 02020395. The registered office is Centurion, Riverside Way, > Watchmoor Park, Blackwater Valley Road, Camberley, Surrey, GU15 3YA. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
