So rsyslogd is currently lame in the case of missing both timestamp and hostname. Is it possible to assign a different parser for specific log source to get things right in output module?
Thanks, Kaiwang 2011/5/21 Rainer Gerhards <[email protected]>: >> -----Original Message----- >> From: [email protected] [mailto:rsyslog- >> [email protected]] On Behalf Of [email protected] >> Sent: Saturday, May 21, 2011 11:53 AM >> To: rsyslog-users >> Subject: Re: [rsyslog] HOSTNAME and programname extraction failure, >> when rsyslog as receiver, stock syslog as sender >> >> Rainer, >> if the message is missing a timestamp, why does the default parser >> assume that there is a hostname there? >> >> I would assume that if there is no timestamp there isn't a hostname >> either >> (which would address this particular issue) >> >> did you have some experiance in the past that pushed you to the current >> implementation? >> > > I don't have the specifics at hand, but as far as I remember there were cases > where absence of timestamp does NOT indicate absence of tag and/or hostname. > I am very hesitant to touch the default legacy parser, as the heuristics > works pretty well since > 2 years. All other malformed messages reported were > really badly malformed. So I think the clean path would be to write a parser > module for such dateless but otherwise correct messages... > > Rainer > >> David Lang >> >> On Fri, 20 May 2011, Kaiwang Chen wrote: >> >> > Date: Fri, 20 May 2011 09:35:15 +0800 >> > From: Kaiwang Chen <[email protected]> >> > Reply-To: rsyslog-users <[email protected]> >> > To: rsyslog-users <[email protected]> >> > Subject: Re: [rsyslog] HOSTNAME and programname extraction failure, >> > when rsyslog as receiver, stock syslog as sender >> > >> > Yes, it's >> > 3c 34 36 3e 65 78 69 74 69 6e 67 20 6f 6e 20 73 69 67 6e 61 6c 20 31 >> 35 0a >> > < 4 6 > e x i t i n g _ o n _ s i g >> > n a l _ 1 5 \n >> > where spaces are represented by underscores. >> > >> > Thanks, >> > Kaiwang >> > >> > 2011/5/20 <[email protected]>: >> >> if it's being generated without a timestamp, rsyslog should be able >> to >> >> detect that. can you get a raw log and verify that? >> >> >> >> David Lang >> >> >> >> On Fri, 20 May 2011, Kaiwang Chen wrote: >> >> >> >>> Date: Fri, 20 May 2011 00:10:27 +0800 >> >>> From: Kaiwang Chen <[email protected]> >> >>> Reply-To: rsyslog-users <[email protected]> >> >>> To: rsyslog-users <[email protected]> >> >>> Subject: Re: [rsyslog] HOSTNAME and programname extraction failure, >> >>> when rsyslog as receiver, stock syslog as sender >> >>> >> >>> Looks like it's the stock sysklog in CentOS5.6 that generated bad >> >>> formatted logs(without timestamp and syslogtag), and with a rsyslog >> >>> 3.x installation I have no choice but not use stock sysklog. >> >>> >> >>> Thanks, >> >>> Kaiwang >> >>> >> >>> 2011/5/19 Rainer Gerhards <[email protected]>: >> >>>> >> >>>> I addition to what David already said: >> >>>> >> >>>> http://www.rsyslog.com/doc/syslog_parsing.html >> >>>> >> >>>> Rainer >> >>>> >> >>>>> -----Original Message----- >> >>>>> From: [email protected] [mailto:rsyslog- >> >>>>> [email protected]] On Behalf Of Kaiwang Chen >> >>>>> Sent: Wednesday, May 18, 2011 2:02 PM >> >>>>> To: [email protected] >> >>>>> Subject: [rsyslog] HOSTNAME and programname extraction failure, >> when >> >>>>> rsyslog as receiver, stock syslog as sender >> >>>>> >> >>>>> Hello, >> >>>>> >> >>>>> I was trying to configure rsyslog(rsyslog-3.22.1-3.el5_5.1) as >> >>>>> receiver, stock syslog(sysklogd-1.4.1-46.el5) as sender. >> >>>>> >> >>>>> The rsyslogd listened on udp/514, and used dynamic filenames with >> >>>>> protocol23 message formatting: >> >>>>> $ModLoad imudp >> >>>>> $UDPServerRun 514 >> >>>>> $ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format >> >>>>> $template >> >>>>> >> DynFile,"/var/log/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/rsyslog.log" >> >>>>> *.* ?DynFile >> >>>>> >> >>>>> The sender generated several entries(3rd, 4th) violating the >> >>>>> "syslogtag: message" convention >> >>>>> May 18 19:40:17 dns1 kernel: Kernel logging (proc) stopped. >> >>>>> May 18 19:40:17 dns1 kernel: Kernel log daemon terminating. >> >>>>> May 18 19:40:18 dns1 exiting on signal 15 >> >>>>> May 18 19:40:18 dns1 syslogd 1.4.1: restart. >> >>>>> May 18 19:40:18 dns1 kernel: klogd 1.4.1, log source = /proc/kmsg >> >>>>> started. >> >>>>> >> >>>>> Take 3rd entry for example, the receiver mistook 'exiting' and >> 'on' to >> >>>>> be %HOSTNAME% and %programname%: >> >>>>> <6>1 2011-05-18T19:40:12.592370+08:00 bogon kernel - - - Kernel >> >>>>> logging (proc) stopped. >> >>>>> <6>1 2011-05-18T19:40:12.592693+08:00 bogon kernel - - - Kernel >> log >> >>>>> daemon terminating. >> >>>>> <46>1 2011-05-18T19:40:13.697115+08:00 exiting on - - - signal >> 15 >> >>>>> <46>1 2011-05-18T19:40:13.806302+08:00 syslogd 1.4.1 - - - >> restart. >> >>>>> <6>1 2011-05-18T19:40:13.811331+08:00 bogon kernel - - - klogd >> 1.4.1, >> >>>>> log source = /proc/kmsg started. >> >>>>> So, it went to /var/log/hosts/exiting/2011/05/18/rsyslog.log, and >> >>>>> that's definitely the wrong place. >> >>>>> >> >>>>> How to deal with this case? >> >>>>> >> >>>>> >> >>>>> Thanks, >> >>>>> Kaiwang >> >>>>> _______________________________________________ >> >>>>> rsyslog mailing list >> >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >> >>>>> http://www.rsyslog.com >> >>>> >> >>>> _______________________________________________ >> >>>> rsyslog mailing list >> >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >> >>>> http://www.rsyslog.com >> >>>> >> >>> _______________________________________________ >> >>> rsyslog mailing list >> >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >> >>> http://www.rsyslog.com >> >> >> >> _______________________________________________ >> >> rsyslog mailing list >> >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> >> http://www.rsyslog.com >> >> >> >> >> > _______________________________________________ >> > rsyslog mailing list >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com >> > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
