With the following configuration snippet: $template rawfmt,"%rawmsg%\n" *.* /var/log/rawmessages;rawfmt
And the following command to capture packets: tcpdump -i eth1 udp port 514 -nnn -s0 -vvv -w syslog.pcap It turned out that the raw messages and captured UDP payload(one line per packet) were the same: <6>kernel: Kernel logging (proc) stopped. <6>kernel: Kernel log daemon terminating. <46>exiting on signal 15 <46>syslogd 1.4.1: restart. <6>kernel: klogd 1.4.1, log source = /proc/kmsg started. In the case of 3rd entry, the payload in hex string is: 3c 34 36 3e 65 78 69 74 69 6e 67 20 6f 6e 20 73 69 67 6e 61 6c 20 31 35 0a < 4 6 > e x i t i n g _ o n _ s i g n a l _ 1 5 \n where spaces are represented by underscores. Thanks, Kaiwang 2011/5/19 <[email protected]>: > On Wed, 18 May 2011, Kaiwang Chen wrote: > >> Hello, >> >> I was trying to configure rsyslog(rsyslog-3.22.1-3.el5_5.1) as >> receiver, stock syslog(sysklogd-1.4.1-46.el5) as sender. >> >> The rsyslogd listened on udp/514, and used dynamic filenames with >> protocol23 message formatting: >> $ModLoad imudp >> $UDPServerRun 514 >> $ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format >> $template >> DynFile,"/var/log/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/rsyslog.log" >> *.* ?DynFile >> >> The sender generated several entries(3rd, 4th) violating the >> "syslogtag: message" convention >> May 18 19:40:17 dns1 kernel: Kernel logging (proc) stopped. >> May 18 19:40:17 dns1 kernel: Kernel log daemon terminating. >> May 18 19:40:18 dns1 exiting on signal 15 >> May 18 19:40:18 dns1 syslogd 1.4.1: restart. >> May 18 19:40:18 dns1 kernel: klogd 1.4.1, log source = /proc/kmsg started. >> >> Take 3rd entry for example, the receiver mistook 'exiting' and 'on' to >> be %HOSTNAME% and %programname%: > > my guess is that what was sent was actually > > <46>May 18 19:40:18 exiting on signal 15 > > unfortunantly, without logging %raw% somewhere or sniffing the traffic it's > impossible to tell > > if you can catch this (which shouldn't be too hard) we can look at the > traffic and tell if there is any way to identify this. > > If I am right about what was sent, there is no way for a listener to tell > that 'exiting' is not a hostname. > > the best that would be possible would be to make a blacklist of things that > show up that are not hostnames and make something to notice this and put in > the fromhost-ip instead. > > David Lang > >> <6>1 2011-05-18T19:40:12.592370+08:00 bogon kernel - - - Kernel >> logging (proc) stopped. >> <6>1 2011-05-18T19:40:12.592693+08:00 bogon kernel - - - Kernel log >> daemon terminating. >> <46>1 2011-05-18T19:40:13.697115+08:00 exiting on - - - signal 15 >> <46>1 2011-05-18T19:40:13.806302+08:00 syslogd 1.4.1 - - - restart. >> <6>1 2011-05-18T19:40:13.811331+08:00 bogon kernel - - - klogd 1.4.1, >> log source = /proc/kmsg started. >> So, it went to /var/log/hosts/exiting/2011/05/18/rsyslog.log, and >> that's definitely the wrong place. >> >> How to deal with this case? >> >> >> Thanks, >> Kaiwang >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
