yes
> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Kaiwang Chen > Sent: Saturday, May 21, 2011 6:24 PM > To: rsyslog-users > Subject: Re: [rsyslog] HOSTNAME and programname extraction failure, > when rsyslog as receiver, stock syslog as sender > > So rsyslogd is currently lame in the case of missing both timestamp > and hostname. Is it possible to assign a different parser for specific > log source to get things right in output module? > > Thanks, > Kaiwang > > 2011/5/21 Rainer Gerhards <[email protected]>: > >> -----Original Message----- > >> From: [email protected] [mailto:rsyslog- > >> [email protected]] On Behalf Of [email protected] > >> Sent: Saturday, May 21, 2011 11:53 AM > >> To: rsyslog-users > >> Subject: Re: [rsyslog] HOSTNAME and programname extraction failure, > >> when rsyslog as receiver, stock syslog as sender > >> > >> Rainer, > >> if the message is missing a timestamp, why does the default > parser > >> assume that there is a hostname there? > >> > >> I would assume that if there is no timestamp there isn't a hostname > >> either > >> (which would address this particular issue) > >> > >> did you have some experiance in the past that pushed you to the > current > >> implementation? > >> > > > > I don't have the specifics at hand, but as far as I remember there > were cases > > where absence of timestamp does NOT indicate absence of tag and/or > hostname. > > I am very hesitant to touch the default legacy parser, as the > heuristics > > works pretty well since > 2 years. All other malformed messages > reported were > > really badly malformed. So I think the clean path would be to write a > parser > > module for such dateless but otherwise correct messages... > > > > Rainer > > > >> David Lang > >> > >> On Fri, 20 May 2011, Kaiwang Chen wrote: > >> > >> > Date: Fri, 20 May 2011 09:35:15 +0800 > >> > From: Kaiwang Chen <[email protected]> > >> > Reply-To: rsyslog-users <[email protected]> > >> > To: rsyslog-users <[email protected]> > >> > Subject: Re: [rsyslog] HOSTNAME and programname extraction > failure, > >> > when rsyslog as receiver, stock syslog as sender > >> > > >> > Yes, it's > >> > 3c 34 36 3e 65 78 69 74 69 6e 67 20 6f 6e 20 73 69 67 6e 61 6c 20 > 31 > >> 35 0a > >> > < 4 6 > e x i t i n g _ o n _ s i > g > >> > n a l _ 1 5 \n > >> > where spaces are represented by underscores. > >> > > >> > Thanks, > >> > Kaiwang > >> > > >> > 2011/5/20 <[email protected]>: > >> >> if it's being generated without a timestamp, rsyslog should be > able > >> to > >> >> detect that. can you get a raw log and verify that? > >> >> > >> >> David Lang > >> >> > >> >> On Fri, 20 May 2011, Kaiwang Chen wrote: > >> >> > >> >>> Date: Fri, 20 May 2011 00:10:27 +0800 > >> >>> From: Kaiwang Chen <[email protected]> > >> >>> Reply-To: rsyslog-users <[email protected]> > >> >>> To: rsyslog-users <[email protected]> > >> >>> Subject: Re: [rsyslog] HOSTNAME and programname extraction > failure, > >> >>> when rsyslog as receiver, stock syslog as sender > >> >>> > >> >>> Looks like it's the stock sysklog in CentOS5.6 that generated > bad > >> >>> formatted logs(without timestamp and syslogtag), and with a > rsyslog > >> >>> 3.x installation I have no choice but not use stock sysklog. > >> >>> > >> >>> Thanks, > >> >>> Kaiwang > >> >>> > >> >>> 2011/5/19 Rainer Gerhards <[email protected]>: > >> >>>> > >> >>>> I addition to what David already said: > >> >>>> > >> >>>> http://www.rsyslog.com/doc/syslog_parsing.html > >> >>>> > >> >>>> Rainer > >> >>>> > >> >>>>> -----Original Message----- > >> >>>>> From: [email protected] [mailto:rsyslog- > >> >>>>> [email protected]] On Behalf Of Kaiwang Chen > >> >>>>> Sent: Wednesday, May 18, 2011 2:02 PM > >> >>>>> To: [email protected] > >> >>>>> Subject: [rsyslog] HOSTNAME and programname extraction > failure, > >> when > >> >>>>> rsyslog as receiver, stock syslog as sender > >> >>>>> > >> >>>>> Hello, > >> >>>>> > >> >>>>> I was trying to configure rsyslog(rsyslog-3.22.1-3.el5_5.1) as > >> >>>>> receiver, stock syslog(sysklogd-1.4.1-46.el5) as sender. > >> >>>>> > >> >>>>> The rsyslogd listened on udp/514, and used dynamic filenames > with > >> >>>>> protocol23 message formatting: > >> >>>>> $ModLoad imudp > >> >>>>> $UDPServerRun 514 > >> >>>>> $ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format > >> >>>>> $template > >> >>>>> > >> > DynFile,"/var/log/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/rsyslog.log" > >> >>>>> *.* ?DynFile > >> >>>>> > >> >>>>> The sender generated several entries(3rd, 4th) violating the > >> >>>>> "syslogtag: message" convention > >> >>>>> May 18 19:40:17 dns1 kernel: Kernel logging (proc) stopped. > >> >>>>> May 18 19:40:17 dns1 kernel: Kernel log daemon terminating. > >> >>>>> May 18 19:40:18 dns1 exiting on signal 15 > >> >>>>> May 18 19:40:18 dns1 syslogd 1.4.1: restart. > >> >>>>> May 18 19:40:18 dns1 kernel: klogd 1.4.1, log source = > /proc/kmsg > >> >>>>> started. > >> >>>>> > >> >>>>> Take 3rd entry for example, the receiver mistook 'exiting' and > >> 'on' to > >> >>>>> be %HOSTNAME% and %programname%: > >> >>>>> <6>1 2011-05-18T19:40:12.592370+08:00 bogon kernel - - - > Kernel > >> >>>>> logging (proc) stopped. > >> >>>>> <6>1 2011-05-18T19:40:12.592693+08:00 bogon kernel - - - > Kernel > >> log > >> >>>>> daemon terminating. > >> >>>>> <46>1 2011-05-18T19:40:13.697115+08:00 exiting on - - - > signal > >> 15 > >> >>>>> <46>1 2011-05-18T19:40:13.806302+08:00 syslogd 1.4.1 - - - > >> restart. > >> >>>>> <6>1 2011-05-18T19:40:13.811331+08:00 bogon kernel - - - > klogd > >> 1.4.1, > >> >>>>> log source = /proc/kmsg started. > >> >>>>> So, it went to /var/log/hosts/exiting/2011/05/18/rsyslog.log, > and > >> >>>>> that's definitely the wrong place. > >> >>>>> > >> >>>>> How to deal with this case? > >> >>>>> > >> >>>>> > >> >>>>> Thanks, > >> >>>>> Kaiwang > >> >>>>> _______________________________________________ > >> >>>>> rsyslog mailing list > >> >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> >>>>> http://www.rsyslog.com > >> >>>> > >> >>>> _______________________________________________ > >> >>>> rsyslog mailing list > >> >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> >>>> http://www.rsyslog.com > >> >>>> > >> >>> _______________________________________________ > >> >>> rsyslog mailing list > >> >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> >>> http://www.rsyslog.com > >> >> > >> >> _______________________________________________ > >> >> rsyslog mailing list > >> >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> >> http://www.rsyslog.com > >> >> > >> >> > >> > _______________________________________________ > >> > rsyslog mailing list > >> > http://lists.adiscon.net/mailman/listinfo/rsyslog > >> > http://www.rsyslog.com > >> > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
