> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of [email protected] > Sent: Saturday, May 21, 2011 11:53 AM > To: rsyslog-users > Subject: Re: [rsyslog] HOSTNAME and programname extraction failure, > when rsyslog as receiver, stock syslog as sender > > Rainer, > if the message is missing a timestamp, why does the default parser > assume that there is a hostname there? > > I would assume that if there is no timestamp there isn't a hostname > either > (which would address this particular issue) > > did you have some experiance in the past that pushed you to the current > implementation? >
I don't have the specifics at hand, but as far as I remember there were cases where absence of timestamp does NOT indicate absence of tag and/or hostname. I am very hesitant to touch the default legacy parser, as the heuristics works pretty well since > 2 years. All other malformed messages reported were really badly malformed. So I think the clean path would be to write a parser module for such dateless but otherwise correct messages... Rainer > David Lang > > On Fri, 20 May 2011, Kaiwang Chen wrote: > > > Date: Fri, 20 May 2011 09:35:15 +0800 > > From: Kaiwang Chen <[email protected]> > > Reply-To: rsyslog-users <[email protected]> > > To: rsyslog-users <[email protected]> > > Subject: Re: [rsyslog] HOSTNAME and programname extraction failure, > > when rsyslog as receiver, stock syslog as sender > > > > Yes, it's > > 3c 34 36 3e 65 78 69 74 69 6e 67 20 6f 6e 20 73 69 67 6e 61 6c 20 31 > 35 0a > > < 4 6 > e x i t i n g _ o n _ s i g > > n a l _ 1 5 \n > > where spaces are represented by underscores. > > > > Thanks, > > Kaiwang > > > > 2011/5/20 <[email protected]>: > >> if it's being generated without a timestamp, rsyslog should be able > to > >> detect that. can you get a raw log and verify that? > >> > >> David Lang > >> > >> On Fri, 20 May 2011, Kaiwang Chen wrote: > >> > >>> Date: Fri, 20 May 2011 00:10:27 +0800 > >>> From: Kaiwang Chen <[email protected]> > >>> Reply-To: rsyslog-users <[email protected]> > >>> To: rsyslog-users <[email protected]> > >>> Subject: Re: [rsyslog] HOSTNAME and programname extraction failure, > >>> when rsyslog as receiver, stock syslog as sender > >>> > >>> Looks like it's the stock sysklog in CentOS5.6 that generated bad > >>> formatted logs(without timestamp and syslogtag), and with a rsyslog > >>> 3.x installation I have no choice but not use stock sysklog. > >>> > >>> Thanks, > >>> Kaiwang > >>> > >>> 2011/5/19 Rainer Gerhards <[email protected]>: > >>>> > >>>> I addition to what David already said: > >>>> > >>>> http://www.rsyslog.com/doc/syslog_parsing.html > >>>> > >>>> Rainer > >>>> > >>>>> -----Original Message----- > >>>>> From: [email protected] [mailto:rsyslog- > >>>>> [email protected]] On Behalf Of Kaiwang Chen > >>>>> Sent: Wednesday, May 18, 2011 2:02 PM > >>>>> To: [email protected] > >>>>> Subject: [rsyslog] HOSTNAME and programname extraction failure, > when > >>>>> rsyslog as receiver, stock syslog as sender > >>>>> > >>>>> Hello, > >>>>> > >>>>> I was trying to configure rsyslog(rsyslog-3.22.1-3.el5_5.1) as > >>>>> receiver, stock syslog(sysklogd-1.4.1-46.el5) as sender. > >>>>> > >>>>> The rsyslogd listened on udp/514, and used dynamic filenames with > >>>>> protocol23 message formatting: > >>>>> $ModLoad imudp > >>>>> $UDPServerRun 514 > >>>>> $ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format > >>>>> $template > >>>>> > DynFile,"/var/log/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/rsyslog.log" > >>>>> *.* ?DynFile > >>>>> > >>>>> The sender generated several entries(3rd, 4th) violating the > >>>>> "syslogtag: message" convention > >>>>> May 18 19:40:17 dns1 kernel: Kernel logging (proc) stopped. > >>>>> May 18 19:40:17 dns1 kernel: Kernel log daemon terminating. > >>>>> May 18 19:40:18 dns1 exiting on signal 15 > >>>>> May 18 19:40:18 dns1 syslogd 1.4.1: restart. > >>>>> May 18 19:40:18 dns1 kernel: klogd 1.4.1, log source = /proc/kmsg > >>>>> started. > >>>>> > >>>>> Take 3rd entry for example, the receiver mistook 'exiting' and > 'on' to > >>>>> be %HOSTNAME% and %programname%: > >>>>> <6>1 2011-05-18T19:40:12.592370+08:00 bogon kernel - - - Kernel > >>>>> logging (proc) stopped. > >>>>> <6>1 2011-05-18T19:40:12.592693+08:00 bogon kernel - - - Kernel > log > >>>>> daemon terminating. > >>>>> <46>1 2011-05-18T19:40:13.697115+08:00 exiting on - - - signal > 15 > >>>>> <46>1 2011-05-18T19:40:13.806302+08:00 syslogd 1.4.1 - - - > restart. > >>>>> <6>1 2011-05-18T19:40:13.811331+08:00 bogon kernel - - - klogd > 1.4.1, > >>>>> log source = /proc/kmsg started. > >>>>> So, it went to /var/log/hosts/exiting/2011/05/18/rsyslog.log, and > >>>>> that's definitely the wrong place. > >>>>> > >>>>> How to deal with this case? > >>>>> > >>>>> > >>>>> Thanks, > >>>>> Kaiwang > >>>>> _______________________________________________ > >>>>> rsyslog mailing list > >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>> http://www.rsyslog.com > >>>> > >>>> _______________________________________________ > >>>> rsyslog mailing list > >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>> http://www.rsyslog.com > >>>> > >>> _______________________________________________ > >>> rsyslog mailing list > >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>> http://www.rsyslog.com > >> > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com > >> > >> > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
