Re: [rsyslog] Problem with "corrupt" log message

Thu, 10 Mar 2011 06:44:29 -0800 

Hello,

On 01/20/2011 01:21 PM, Rainer Gerhards wrote:

-----Original Message----- I'm running latest Rsyslog 5.6.2. I
pretty much came to the same conclusions as you.

I doubt I can reproduce it. Out of several gigabytes of logs each
day, this is the first time I've seen it.


Yup... Maybe this helps: I got some reports from folks who have a bit
of a problem with 5.6.2 and a very good report came in yesterday. I
am about to look at it. It could be that all of this has a common
reason. But other than that, I do not have any advise right now...



Did these reports give any results regarding this issue?

I've been trying to dig a bit more in our logs, and I've seen it happen
more than once now. It's however a bit hard to locate these corrupt
lines in the logs as they differ slightly.

I also did a quick attempt at some tcpdumping, but without knowing a bit
more what I'm looking for, it's too much data going thru the system at
the moment to be just staring at it.

The bits of configuration related to these logsfiles are:

$ModLoad imudp    # Standard input module for UDP
$ModLoad imtcp    # Standard input module for TCP

$template t-network,"/var/log/network.%$myhostname%.log"
$template bf-default,"%timegenerated:::date-rfc3339% %fromhost% %rawmsg:::drop-last-lf%\n" 

# Ruleset: network
$Ruleset network-udp-10514
$RulesetCreateMainQueue on
*.*             -?t-network;bf-default

$RuleSet network-tcp-10514
$RulesetCreateMainQueue on
*.*             -?t-network;bf-default

$InputUDPServerBindRuleset network-udp-10514
$UDPServerRun 10514

$InputTCPServerBindRuleset network-tcp-10514
$InputTCPServerRun 10514



I'm using load balancing (active/passive) and different vips on the LB
to point logs from different systems to different ports on my central
loghost. And all in all, this is working very nicely :)

But as you can see, both tcp and udp is logged to the same file, and I
almost willing to bet my right pinky that the problem is related to this.

Another example of a broken log:

2011-03-08T12:50:45.973537+01:00
osl3-lb05b-v2011-03-08T12:50:46.126028+01:00
some.fw.net <164>Mar 08 2011 12:50:46:
%ASA-4-106023: Deny tcp src outside:x.x.x.x/6000 dst
some.lb-lnk:x.x.x.x/3389 by access-group
new-test-fw-lb-lnk_out [0x4da29309, 0x0]





Regards,
Anders Synstad
Basefarm AS
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

Reply via email to