2011/6/8 Rainer Gerhards <[email protected]>: > >> -----Original Message----- >> From: [email protected] [mailto:rsyslog- >> [email protected]] On Behalf Of Kaiwang Chen >> Sent: Wednesday, June 08, 2011 4:04 PM >> To: rsyslog-users >> Subject: Re: [rsyslog] Problem with forwarded multiline message >> >> So the (o) option just affects the receiver, and would be of no harm being >> turned on at the terminal end of syslog message flow. Actually, I am going > to >> use rsyslog on both ends, except bridge and router sources. > > Actually the sender. The receiver automatically handles both. The option is > at the action, I think it is along the lines of > > @@(o)host
Yes, it's documented in "Remote Machine" section from http://www.rsyslog.com/doc/rsyslog_conf_actions.html However, when rsyslogd as sender was configured *.* @@(o)10.3.254.106:514 the receiver (same version 5.8.1) recorded nothing. I confirmed with "tcpdump -i eth1 tcp port 514 -s0" that two data packets reached the receiver with payload: 0000 37 38 20 3c 36 3e 4a 75 6e 20 20 39 20 30 30 3a 78 <6>Jun 9 00: 0010 34 34 3a 31 39 20 64 6e 73 31 20 6b 65 72 6e 65 44:19 dns1 kerne 0020 6c 3a 20 69 6d 6b 6c 6f 67 20 35 2e 38 2e 31 2c l: imklog 5.8.1, 0030 20 6c 6f 67 20 73 6f 75 72 63 65 20 3d 20 2f 70 log source = /p 0040 72 6f 63 2f 6b 6d 73 67 20 73 74 61 72 74 65 64 roc/kmsg started 0050 2e . 0000 31 33 32 20 3c 34 36 3e 4a 75 6e 20 20 39 20 30 132 <46>Jun 9 0 0010 30 3a 34 34 3a 31 39 20 64 6e 73 31 20 72 73 79 0:44:19 dns1 rsy 0020 73 6c 6f 67 64 3a 20 5b 6f 72 69 67 69 6e 20 73 slogd: [origin s 0030 6f 66 74 77 61 72 65 3d 22 72 73 79 73 6c 6f 67 oftware="rsyslog 0040 64 22 20 73 77 56 65 72 73 69 6f 6e 3d 22 35 2e d" swVersion="5. 0050 38 2e 31 22 20 78 2d 70 69 64 3d 22 36 32 32 30 8.1" x-pid="6220 0060 22 20 78 2d 69 6e 66 6f 3d 22 68 74 74 70 3a 2f " x-info="http:/ 0070 2f 77 77 77 2e 72 73 79 73 6c 6f 67 2e 63 6f 6d /www.rsyslog.com 0080 22 5d 20 73 74 61 72 74 32 32 37 20 3c 34 33 3e "] start227 <43> 0090 4a 75 6e 20 20 39 20 30 30 3a 34 34 3a 31 39 20 Jun 9 00:44:19 00a0 64 6e 73 31 20 72 73 79 73 6c 6f 67 64 2d 32 30 dns1 rsyslogd-20 00b0 36 36 3a 20 63 6f 75 6c 64 20 6e 6f 74 20 6c 6f 66: could not lo 00c0 61 64 20 6d 6f 64 75 6c 65 20 27 2f 75 73 72 2f ad module '/usr/ 00d0 6c 69 62 36 34 2f 72 73 79 73 6c 6f 67 2f 6f 6d lib64/rsyslog/om 00e0 68 64 66 73 2e 73 6f 27 2c 20 64 6c 6f 70 65 6e hdfs.so', dlopen 00f0 3a 20 2f 75 73 72 2f 6c 69 62 36 34 2f 72 73 79 : /usr/lib64/rsy 0100 73 6c 6f 67 2f 6f 6d 68 64 66 73 2e 73 6f 3a 20 slog/omhdfs.so: 0110 63 61 6e 6e 6f 74 20 6f 70 65 6e 20 73 68 61 72 cannot open shar 0120 65 64 20 6f 62 6a 65 63 74 20 66 69 6c 65 3a 20 ed object file: 0130 4e 6f 20 73 75 63 68 20 66 69 6c 65 20 6f 72 20 No such file or 0140 64 69 72 65 63 74 6f 72 79 0a 20 5b 74 72 79 20 directory. [try 0150 68 74 74 70 3a 2f 2f 77 77 77 2e 72 73 79 73 6c http://www.rsysl 0160 6f 67 2e 63 6f 6d 2f 65 2f 32 30 36 36 20 5d 31 og.com/e/2066 ]1 0170 30 34 20 3c 34 33 3e 4a 75 6e 20 20 39 20 30 30 04 <43>Jun 9 00 0180 3a 34 34 3a 31 39 20 64 6e 73 31 20 72 73 79 73 :44:19 dns1 rsys 0190 6c 6f 67 64 3a 20 74 68 65 20 6c 61 73 74 20 65 logd: the last e 01a0 72 72 6f 72 20 6f 63 63 75 72 65 64 20 69 6e 20 rror occured in 01b0 2f 65 74 63 2f 72 73 79 73 6c 6f 67 2e 63 6f 6e /etc/rsyslog.con 01c0 66 2c 20 6c 69 6e 65 20 33 3a 22 24 4d 6f 64 4c f, line 3:"$ModL 01d0 6f 61 64 20 6f 6d 68 64 66 73 22 31 35 30 20 3c oad omhdfs"150 < 01e0 34 33 3e 4a 75 6e 20 20 39 20 30 30 3a 34 34 3a 43>Jun 9 00:44: 01f0 31 39 20 64 6e 73 31 20 72 73 79 73 6c 6f 67 64 19 dns1 rsyslogd 0200 2d 32 31 32 34 3a 20 43 4f 4e 46 49 47 20 45 52 -2124: CONFIG ER 0210 52 4f 52 3a 20 63 6f 75 6c 64 20 6e 6f 74 20 69 ROR: could not i 0220 6e 74 65 72 70 72 65 74 20 6d 61 73 74 65 72 20 nterpret master 0230 63 6f 6e 66 69 67 20 66 69 6c 65 20 27 2f 65 74 config file '/et 0240 63 2f 72 73 79 73 6c 6f 67 2e 63 6f 6e 66 27 2e c/rsyslog.conf'. 0250 20 5b 74 72 79 20 68 74 74 70 3a 2f 2f 77 77 77 [try http://www 0260 2e 72 73 79 73 6c 6f 67 2e 63 6f 6d 2f 65 2f 32 .rsyslog.com/e/2 0270 31 32 34 20 5d 124 ] > >> >> I came across such a framing option days ago, and just can't locate it. How > to >> turn the (o) option, is it a compilation flag or a configuration directive? >> >> Is "lagacy plain syslogd" referring to rsyslogd with imptcp? I understand > stock >> sysklogd can't deal with multiline messages. > > Oh, sorry, not just a typo. It should read "legacy plain tcp syslog > (protocol)". This is what most applications understand under "TCP syslog". It > uses \n to end a message and start a new one. Usually this is not a problem, > as control character escaping removes \n in any case. Will omrelp supress this problem, or is there any other way to get rid of it, if plain tcp with (o) option does not work well? Thanks, Kaiwang > > Rainer >> >> Thanks, >> Kaiwang >> >> 2011/6/8 Rainer Gerhards <[email protected]>: >> > Multi-line messages are not supported by legacy plain syslogd. But you >> > can turn on the (o) option, which enables octect-counted framing, with >> > which it works. However, non-rsyslog receivers probably do not >> > understand that framing. >> > Rainer >> > >> >> -----Original Message----- >> >> From: [email protected] [mailto:rsyslog- >> >> [email protected]] On Behalf Of Kaiwang Chen >> >> Sent: Wednesday, June 08, 2011 3:16 PM >> >> To: rsyslog-users >> >> Subject: [rsyslog] Problem with forwarded multiline message >> >> >> >> Hello, >> >> >> >> I set up two hosts to test rsyslogd, dns1 as client, z6 as server, >> >> and >> > found that >> >> the server interpreted a copy of forwarded multiline message(3rd >> >> entry in the following raw messages) into multiple entries(3rd and >> >> 4th entry in >> > actual >> >> output), while locally generated multiline message was fine. What's >> >> the problem? >> >> >> >> The client setting: >> >> $ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format >> >> *.* @@10.3.254.106:514 >> >> >> >> The server setting: >> >> $InputPTCPServerRun 514 >> >> $ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format $template >> >> rawfmt,"%rawmsg%\n" >> >> *.* /var/log/rawmessages;rawfmt >> >> *.info;mail.none;authpriv.none;cron.none >> >> /var/log/messages >> >> >> >> Other settings were action queue tuning, I guess they were irrelevant. >> >> >> >> The raw messages: >> >> <6>Jun 8 20:52:48 dns1 kernel: imklog 5.8.1, log source = /proc/kmsg >> > started. >> >> <46>Jun 8 20:52:48 dns1 rsyslogd: [origin software="rsyslogd" >> >> swVersion="5.8.1" x-pid="4152" x-info="http://www.rsyslog.com";] start >> >> <43>Jun 8 20:52:48 dns1 rsyslogd-2066: could not load module >> >> '/usr/lib64/rsyslog/omhdfs.so', dlopen: /usr/lib64/rsyslog/omhdfs.so: >> >> cannot open shared object file: No such file or directory [try >> >> http://www.rsyslog.com/e/2066 ] <43>Jun 8 20:52:48 dns1 rsyslogd: >> >> the last error occured in /etc/rsyslog.conf, line 6:"$ModLoad omhdfs" >> >> <43>Jun 8 20:52:48 dns1 rsyslogd-2124: CONFIG ERROR: could not >> >> interpret master config file '/etc/rsyslog.conf'. [try >> >> http://www.rsyslog.com/e/2124 ] >> >> imklog 5.8.1, log source = /proc/kmsg started. >> >> [origin software="rsyslogd" swVersion="5.8.1" x-pid="11033" >> >> x-info="http://www.rsyslog.com";] start could not load module >> >> '/usr/lib64/rsyslog/omhdfs.so', dlopen: >> >> /usr/lib64/rsyslog/omhdfs.so: cannot open shared object file: No such >> >> file >> > or >> >> directory [try http://www.rsyslog.com/e/2066 ] the last error >> >> occured in /etc/rsyslog.conf, line 3:"$ModLoad omhdfs" >> >> CONFIG ERROR: could not interpret master config file > '/etc/rsyslog.conf'. >> > [try >> >> http://www.rsyslog.com/e/2124 ] >> >> >> >> Actual ouput: >> >> <6>1 2011-06-08T20:52:48+08:00 dns1 kernel - - - imklog 5.8.1, log >> >> source >> > = >> >> /proc/kmsg started. >> >> <46>1 2011-06-08T20:52:48+08:00 dns1 rsyslogd - - - [origin >> >> software="rsyslogd" swVersion="5.8.1" x-pid="4152" >> >> x-info="http://www.rsyslog.com";] start >> >> <43>1 2011-06-08T20:52:48+08:00 dns1 rsyslogd-2066 - - - could not >> >> load module '/usr/lib64/rsyslog/omhdfs.so', dlopen: >> >> /usr/lib64/rsyslog/omhdfs.so: cannot open shared object file: No such >> >> file >> > or >> >> directory >> >> <13>1 2011-06-08T20:52:48.251337+08:00 bogon - - - [try >> >> http://www.rsyslog.com/e/2066 ] >> >> <43>1 2011-06-08T20:52:48+08:00 dns1 rsyslogd - - - the last error >> >> occured >> > in >> >> /etc/rsyslog.conf, line 6:"$ModLoad omhdfs" >> >> <43>1 2011-06-08T20:52:48+08:00 dns1 rsyslogd-2124 - - - CONFIG >> >> ERROR: could not interpret master config file '/etc/rsyslog.conf'. >> >> [try http://www.rsyslog.com/e/2124 ] >> >> <6>1 2011-06-08T20:59:33.791626+08:00 z6 kernel - - - imklog 5.8.1, >> >> log >> > source >> >> = /proc/kmsg started. >> >> <46>1 2011-06-08T20:59:33.791820+08:00 z6 rsyslogd - - - [origin >> >> software="rsyslogd" swVersion="5.8.1" x-pid="11033" >> >> x-info="http://www.rsyslog.com";] start >> >> <43>1 2011-06-08T20:59:33.787162+08:00 z6 rsyslogd-2066 - - - could >> >> not >> > load >> >> module '/usr/lib64/rsyslog/omhdfs.so', dlopen: >> >> /usr/lib64/rsyslog/omhdfs.so: cannot open shared object file: No such >> >> file >> > or >> >> directory [try http://www.rsyslog.com/e/2066 ] >> >> <43>1 2011-06-08T20:59:33.787221+08:00 z6 rsyslogd - - - the last >> >> error occured in /etc/rsyslog.conf, line 3:"$ModLoad omhdfs" >> >> <43>1 2011-06-08T20:59:33.791571+08:00 z6 rsyslogd-2124 - - - CONFIG >> >> ERROR: could not interpret master config file '/etc/rsyslog.conf'. >> >> [try http://www.rsyslog.com/e/2124 ] >> >> >> >> >> >> Thanks, >> >> Kaiwang >> >> _______________________________________________ >> >> rsyslog mailing list >> >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> >> http://www.rsyslog.com >> > _______________________________________________ >> > rsyslog mailing list >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com >> > >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
