I addition to what David already said: http://www.rsyslog.com/doc/syslog_parsing.html
Rainer > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Kaiwang Chen > Sent: Wednesday, May 18, 2011 2:02 PM > To: [email protected] > Subject: [rsyslog] HOSTNAME and programname extraction failure, when > rsyslog as receiver, stock syslog as sender > > Hello, > > I was trying to configure rsyslog(rsyslog-3.22.1-3.el5_5.1) as > receiver, stock syslog(sysklogd-1.4.1-46.el5) as sender. > > The rsyslogd listened on udp/514, and used dynamic filenames with > protocol23 message formatting: > $ModLoad imudp > $UDPServerRun 514 > $ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format > $template > DynFile,"/var/log/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/rsyslog.log" > *.* ?DynFile > > The sender generated several entries(3rd, 4th) violating the > "syslogtag: message" convention > May 18 19:40:17 dns1 kernel: Kernel logging (proc) stopped. > May 18 19:40:17 dns1 kernel: Kernel log daemon terminating. > May 18 19:40:18 dns1 exiting on signal 15 > May 18 19:40:18 dns1 syslogd 1.4.1: restart. > May 18 19:40:18 dns1 kernel: klogd 1.4.1, log source = /proc/kmsg > started. > > Take 3rd entry for example, the receiver mistook 'exiting' and 'on' to > be %HOSTNAME% and %programname%: > <6>1 2011-05-18T19:40:12.592370+08:00 bogon kernel - - - Kernel > logging (proc) stopped. > <6>1 2011-05-18T19:40:12.592693+08:00 bogon kernel - - - Kernel log > daemon terminating. > <46>1 2011-05-18T19:40:13.697115+08:00 exiting on - - - signal 15 > <46>1 2011-05-18T19:40:13.806302+08:00 syslogd 1.4.1 - - - restart. > <6>1 2011-05-18T19:40:13.811331+08:00 bogon kernel - - - klogd 1.4.1, > log source = /proc/kmsg started. > So, it went to /var/log/hosts/exiting/2011/05/18/rsyslog.log, and > that's definitely the wrong place. > > How to deal with this case? > > > Thanks, > Kaiwang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
