Re: [rsyslog] HOSTNAME and programname extraction failure, when rsyslog as receiver, stock syslog as sender

Wed, 18 May 2011 10:00:08 -0700 

On Wed, 18 May 2011, Kaiwang Chen wrote:


Hello,

I was trying to configure rsyslog(rsyslog-3.22.1-3.el5_5.1) as
receiver, stock syslog(sysklogd-1.4.1-46.el5) as sender.

The rsyslogd listened on udp/514, and used dynamic filenames with
protocol23  message formatting:
$ModLoad imudp
$UDPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format
$template 
DynFile,"/var/log/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/rsyslog.log"
*.*                                                  ?DynFile

The sender generated several entries(3rd, 4th) violating the
"syslogtag: message" convention
May 18 19:40:17 dns1 kernel: Kernel logging (proc) stopped.
May 18 19:40:17 dns1 kernel: Kernel log daemon terminating.
May 18 19:40:18 dns1 exiting on signal 15
May 18 19:40:18 dns1 syslogd 1.4.1: restart.
May 18 19:40:18 dns1 kernel: klogd 1.4.1, log source = /proc/kmsg started.

Take 3rd entry for example, the receiver mistook 'exiting' and 'on' to
be %HOSTNAME% and %programname%:


my guess is that what was sent was actually

<46>May 18 19:40:18 exiting on signal 15
unfortunantly, without logging %raw% somewhere or sniffing the traffic it's impossible to tell
if you can catch this (which shouldn't be too hard) we can look at the traffic and tell if there is any way to identify this.
If I am right about what was sent, there is no way for a listener to tell that 'exiting' is not a hostname.
the best that would be possible would be to make a blacklist of things that show up that are not hostnames and make something to notice this and put in the fromhost-ip instead. 

David Lang


<6>1 2011-05-18T19:40:12.592370+08:00 bogon kernel - - -  Kernel
logging (proc) stopped.
<6>1 2011-05-18T19:40:12.592693+08:00 bogon kernel - - -  Kernel log
daemon terminating.
<46>1 2011-05-18T19:40:13.697115+08:00 exiting on - - -  signal 15
<46>1 2011-05-18T19:40:13.806302+08:00 syslogd 1.4.1 - - -  restart.
<6>1 2011-05-18T19:40:13.811331+08:00 bogon kernel - - -  klogd 1.4.1,
log source = /proc/kmsg started.
So, it went to /var/log/hosts/exiting/2011/05/18/rsyslog.log, and
that's definitely the wrong place.

How to deal with this case?


Thanks,
Kaiwang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

Reply via email to