Imuxsock expects the format that the syslog() API provides. That is the plain old legacy format. The multi-parser interface is not supported, because there usually is no need AND it would severely complicate "normal" processing flow.
HTH Rainer > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Andreas Grosse > Sent: Wednesday, July 13, 2011 10:19 AM > To: [email protected] > Subject: [rsyslog] rsyslog 5.8.1 imuxsock failing to detect input > formatcorrectly > > Hi, > on my machine I am using rsyslog 5.8.1 for remote syslog, and syslog-ng for > local log processing and filtering. The syslog-ng is set up to sent it's data to > the rsyslog daemon. When I have the syslog-ng provide it's data to the > rsyslog using a tcp connection on localhost, the data I receive on the remote > end is fine. If I use a datagram socket for the communication between > syslog-ng and rsyslog (using the imuxsock input > plugin) the data format is changed into the following: > > "<22>1 2011-07-12T17:12:00+02:00 agrdevel2 agrdevel2 - - - > exim-out[27081]: 2011-07-12 17:12:00 Start queue run: pid=27081\n" > "<22>1 2011-07-12T17:12:00+02:00 agrdevel2 agrdevel2 - - - > exim-out[27081]: 2011-07-12 17:12:00 End queue run: pid=27081\n" > > As you can see, the imuxsock plugin adds it's own timestamps, although the > documentation says that application-provided timestamps are ignored by > default. I tried setting the $InputUnixListenSocketIgnoreMsgTimestamp > configuration value explicitly, but to no avail. > > I also tried to change the message format of the syslog-ng which is providing > the logs. Using the default syslog-ng settings, the logs that arrive at the > rsyslog daemon look like this: > <22>Jul 13 09:55:00 agrdevel2 exim-out[25592]: 2011-07-13 09:55:00 Start > queue run: pid=25592 <22>Jul 13 09:55:00 agrdevel2 exim-out[25592]: 2011- > 07-13 09:55:00 End queue run: pid=25592 > > Using the flag 'syslog-protocol' in the syslog-ng configuration, which is > supposed to have the messages formatted according to the IETF syslog > protocol standard, the messages arriving at the rsyslog daemon look like > this: > <22>1 2011-07-13T09:56:00+02:00 agrdevel2 exim-out 25651 - [meta > sequenceId="3"] 2011-07-13 09:56:00 Start queue run: pid=25651 > <22>1 2011-07-13T09:56:00+02:00 agrdevel2 exim-out 25651 - [meta > sequenceId="4"] 2011-07-13 09:56:00 End queue run: pid=25651 > > Unfortunately, in both cases the result is the same. It looks to me like the > imuxsock plugin fails to correctly handle the incoming message format; date > stamps are duplicated, and the fields which are supposed to contain > application name and pid only contain dashes. > > Is there anything I failed to configure correctly, or is this a bug in the > imuxsock plugin? Is there a better way to hook up a local syslog-ng to a local > rsyslog? > > Best regards, > Andreas Grosse > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
