I'm still running on 5.6.2 as you mentioned. I've been looking at the
changelogs for the stable 5.x releases, but haven't seen anything that I
related to this problem.
I am a bit reluctant to deploy the beta releases on my production
servers. ;)
Doing some testing at the moment, and will see if I can't open that bug
tracker if I don't get anywhere.
Regards,
Anders Synstad
Basefarm AS
On 03/10/2011 04:09 PM, Rainer Gerhards wrote:
I guess you have lost a couple of updates. I have been working pretty
aggressively on bugs the past two to three weeks. Those issues that I knew
are closed now (except one dangling with ommysql, which I cannot reproduce
and currently get not more data on). Please grab the latest 5.7.8 and see if
the problem persists. If it does, please open a bug tracker, so that we can
work together to find the culprit and fix it :)
Thanks,
Rainer
-----Original Message-----
From: [email protected] [mailto:rsyslog-
[email protected]] On Behalf Of Anders Synstad
Sent: Thursday, March 10, 2011 3:37 PM
To: [email protected]
Subject: Re: [rsyslog] Problem with "corrupt" log message
Hello,
On 01/20/2011 01:21 PM, Rainer Gerhards wrote:
-----Original Message----- I'm running latest Rsyslog 5.6.2. I
pretty much came to the same conclusions as you.
I doubt I can reproduce it. Out of several gigabytes of logs each
day, this is the first time I've seen it.
Yup... Maybe this helps: I got some reports from folks who have a bit
of a problem with 5.6.2 and a very good report came in yesterday. I
am about to look at it. It could be that all of this has a common
reason. But other than that, I do not have any advise right now...
Did these reports give any results regarding this issue?
I've been trying to dig a bit more in our logs, and I've seen it happen
more than once now. It's however a bit hard to locate these corrupt
lines in the logs as they differ slightly.
I also did a quick attempt at some tcpdumping, but without knowing a bit
more what I'm looking for, it's too much data going thru the system at
the moment to be just staring at it.
The bits of configuration related to these logsfiles are:
$ModLoad imudp # Standard input module for UDP
$ModLoad imtcp # Standard input module for TCP
$template t-network,"/var/log/network.%$myhostname%.log"
$template bf-default,"%timegenerated:::date-rfc3339% %fromhost%
%rawmsg:::drop-last-lf%\n"
# Ruleset: network
$Ruleset network-udp-10514
$RulesetCreateMainQueue on
*.* -?t-network;bf-default
$RuleSet network-tcp-10514
$RulesetCreateMainQueue on
*.* -?t-network;bf-default
$InputUDPServerBindRuleset network-udp-10514
$UDPServerRun 10514
$InputTCPServerBindRuleset network-tcp-10514
$InputTCPServerRun 10514
I'm using load balancing (active/passive) and different vips on the LB
to point logs from different systems to different ports on my central
loghost. And all in all, this is working very nicely :)
But as you can see, both tcp and udp is logged to the same file, and I
almost willing to bet my right pinky that the problem is related to this.
Another example of a broken log:
2011-03-08T12:50:45.973537+01:00
osl3-lb05b-v2011-03-08T12:50:46.126028+01:00
some.fw.net<164>Mar 08 2011 12:50:46:
%ASA-4-106023: Deny tcp src outside:x.x.x.x/6000 dst
some.lb-lnk:x.x.x.x/3389 by access-group
new-test-fw-lb-lnk_out [0x4da29309, 0x0]
Regards,
Anders Synstad
Basefarm AS
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
