Rainer,
if the message is missing a timestamp, why does the default parser
assume that there is a hostname there?
I would assume that if there is no timestamp there isn't a hostname either
(which would address this particular issue)
did you have some experiance in the past that pushed you to the current
implementation?
David Lang
On Fri, 20 May 2011, Kaiwang Chen wrote:
Date: Fri, 20 May 2011 09:35:15 +0800
From: Kaiwang Chen <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] HOSTNAME and programname extraction failure,
when rsyslog as receiver, stock syslog as sender
Yes, it's
3c 34 36 3e 65 78 69 74 69 6e 67 20 6f 6e 20 73 69 67 6e 61 6c 20 31 35 0a
< 4 6 > e x i t i n g _ o n _ s i g
n a l _ 1 5 \n
where spaces are represented by underscores.
Thanks,
Kaiwang
2011/5/20 <[email protected]>:
if it's being generated without a timestamp, rsyslog should be able to
detect that. can you get a raw log and verify that?
David Lang
On Fri, 20 May 2011, Kaiwang Chen wrote:
Date: Fri, 20 May 2011 00:10:27 +0800
From: Kaiwang Chen <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] HOSTNAME and programname extraction failure,
when rsyslog as receiver, stock syslog as sender
Looks like it's the stock sysklog in CentOS5.6 that generated bad
formatted logs(without timestamp and syslogtag), and with a rsyslog
3.x installation I have no choice but not use stock sysklog.
Thanks,
Kaiwang
2011/5/19 Rainer Gerhards <[email protected]>:
I addition to what David already said:
http://www.rsyslog.com/doc/syslog_parsing.html
Rainer
-----Original Message-----
From: [email protected] [mailto:rsyslog-
[email protected]] On Behalf Of Kaiwang Chen
Sent: Wednesday, May 18, 2011 2:02 PM
To: [email protected]
Subject: [rsyslog] HOSTNAME and programname extraction failure, when
rsyslog as receiver, stock syslog as sender
Hello,
I was trying to configure rsyslog(rsyslog-3.22.1-3.el5_5.1) as
receiver, stock syslog(sysklogd-1.4.1-46.el5) as sender.
The rsyslogd listened on udp/514, and used dynamic filenames with
protocol23 message formatting:
$ModLoad imudp
$UDPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format
$template
DynFile,"/var/log/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/rsyslog.log"
*.* ?DynFile
The sender generated several entries(3rd, 4th) violating the
"syslogtag: message" convention
May 18 19:40:17 dns1 kernel: Kernel logging (proc) stopped.
May 18 19:40:17 dns1 kernel: Kernel log daemon terminating.
May 18 19:40:18 dns1 exiting on signal 15
May 18 19:40:18 dns1 syslogd 1.4.1: restart.
May 18 19:40:18 dns1 kernel: klogd 1.4.1, log source = /proc/kmsg
started.
Take 3rd entry for example, the receiver mistook 'exiting' and 'on' to
be %HOSTNAME% and %programname%:
<6>1 2011-05-18T19:40:12.592370+08:00 bogon kernel - - - Kernel
logging (proc) stopped.
<6>1 2011-05-18T19:40:12.592693+08:00 bogon kernel - - - Kernel log
daemon terminating.
<46>1 2011-05-18T19:40:13.697115+08:00 exiting on - - - signal 15
<46>1 2011-05-18T19:40:13.806302+08:00 syslogd 1.4.1 - - - restart.
<6>1 2011-05-18T19:40:13.811331+08:00 bogon kernel - - - klogd 1.4.1,
log source = /proc/kmsg started.
So, it went to /var/log/hosts/exiting/2011/05/18/rsyslog.log, and
that's definitely the wrong place.
How to deal with this case?
Thanks,
Kaiwang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
