Yes, it's 3c 34 36 3e 65 78 69 74 69 6e 67 20 6f 6e 20 73 69 67 6e 61 6c 20 31 35 0a < 4 6 > e x i t i n g _ o n _ s i g n a l _ 1 5 \n where spaces are represented by underscores.
Thanks, Kaiwang 2011/5/20 <[email protected]>: > if it's being generated without a timestamp, rsyslog should be able to > detect that. can you get a raw log and verify that? > > David Lang > > On Fri, 20 May 2011, Kaiwang Chen wrote: > >> Date: Fri, 20 May 2011 00:10:27 +0800 >> From: Kaiwang Chen <[email protected]> >> Reply-To: rsyslog-users <[email protected]> >> To: rsyslog-users <[email protected]> >> Subject: Re: [rsyslog] HOSTNAME and programname extraction failure, >> when rsyslog as receiver, stock syslog as sender >> >> Looks like it's the stock sysklog in CentOS5.6 that generated bad >> formatted logs(without timestamp and syslogtag), and with a rsyslog >> 3.x installation I have no choice but not use stock sysklog. >> >> Thanks, >> Kaiwang >> >> 2011/5/19 Rainer Gerhards <[email protected]>: >>> >>> I addition to what David already said: >>> >>> http://www.rsyslog.com/doc/syslog_parsing.html >>> >>> Rainer >>> >>>> -----Original Message----- >>>> From: [email protected] [mailto:rsyslog- >>>> [email protected]] On Behalf Of Kaiwang Chen >>>> Sent: Wednesday, May 18, 2011 2:02 PM >>>> To: [email protected] >>>> Subject: [rsyslog] HOSTNAME and programname extraction failure, when >>>> rsyslog as receiver, stock syslog as sender >>>> >>>> Hello, >>>> >>>> I was trying to configure rsyslog(rsyslog-3.22.1-3.el5_5.1) as >>>> receiver, stock syslog(sysklogd-1.4.1-46.el5) as sender. >>>> >>>> The rsyslogd listened on udp/514, and used dynamic filenames with >>>> protocol23 message formatting: >>>> $ModLoad imudp >>>> $UDPServerRun 514 >>>> $ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format >>>> $template >>>> DynFile,"/var/log/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/rsyslog.log" >>>> *.* ?DynFile >>>> >>>> The sender generated several entries(3rd, 4th) violating the >>>> "syslogtag: message" convention >>>> May 18 19:40:17 dns1 kernel: Kernel logging (proc) stopped. >>>> May 18 19:40:17 dns1 kernel: Kernel log daemon terminating. >>>> May 18 19:40:18 dns1 exiting on signal 15 >>>> May 18 19:40:18 dns1 syslogd 1.4.1: restart. >>>> May 18 19:40:18 dns1 kernel: klogd 1.4.1, log source = /proc/kmsg >>>> started. >>>> >>>> Take 3rd entry for example, the receiver mistook 'exiting' and 'on' to >>>> be %HOSTNAME% and %programname%: >>>> <6>1 2011-05-18T19:40:12.592370+08:00 bogon kernel - - - Kernel >>>> logging (proc) stopped. >>>> <6>1 2011-05-18T19:40:12.592693+08:00 bogon kernel - - - Kernel log >>>> daemon terminating. >>>> <46>1 2011-05-18T19:40:13.697115+08:00 exiting on - - - signal 15 >>>> <46>1 2011-05-18T19:40:13.806302+08:00 syslogd 1.4.1 - - - restart. >>>> <6>1 2011-05-18T19:40:13.811331+08:00 bogon kernel - - - klogd 1.4.1, >>>> log source = /proc/kmsg started. >>>> So, it went to /var/log/hosts/exiting/2011/05/18/rsyslog.log, and >>>> that's definitely the wrong place. >>>> >>>> How to deal with this case? >>>> >>>> >>>> Thanks, >>>> Kaiwang >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com >>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com >>> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
