On Wed, 13 Jul 2011, Andreas Grosse wrote:
Hi,
on my machine I am using rsyslog 5.8.1 for remote syslog, and syslog-ng
for local log processing and filtering. The syslog-ng is set up to sent
it's data to the rsyslog daemon. When I have the syslog-ng provide it's
data to the rsyslog using a tcp connection on localhost, the data I
receive on the remote end is fine. If I use a datagram socket for the
communication between syslog-ng and rsyslog (using the imuxsock input
plugin) the data format is changed into the following:
"<22>1 2011-07-12T17:12:00+02:00 agrdevel2 agrdevel2 - - -
exim-out[27081]: 2011-07-12 17:12:00 Start queue run: pid=27081\n"
"<22>1 2011-07-12T17:12:00+02:00 agrdevel2 agrdevel2 - - -
exim-out[27081]: 2011-07-12 17:12:00 End queue run: pid=27081\n"
As you can see, the imuxsock plugin adds it's own timestamps, although
the documentation says that application-provided timestamps are ignored
by default. I tried setting the $InputUnixListenSocketIgnoreMsgTimestamp
configuration value explicitly, but to no avail.
I also tried to change the message format of the syslog-ng which is
providing the logs. Using the default syslog-ng settings, the logs that
arrive at the rsyslog daemon look like this:
<22>Jul 13 09:55:00 agrdevel2 exim-out[25592]: 2011-07-13 09:55:00 Start
queue run: pid=25592
<22>Jul 13 09:55:00 agrdevel2 exim-out[25592]: 2011-07-13 09:55:00 End
queue run: pid=25592
this looks to me as being the same data as you show above, the only
difference is that the first set is using the new RFC timestamp format and
protocol tag. The only problem that I see is that it is adding the
hostname.
Using the flag 'syslog-protocol' in the syslog-ng configuration, which
is supposed to have the messages formatted according to the IETF syslog
protocol standard, the messages arriving at the rsyslog daemon look like
this:
<22>1 2011-07-13T09:56:00+02:00 agrdevel2 exim-out 25651 - [meta
sequenceId="3"] 2011-07-13 09:56:00 Start queue run: pid=25651
<22>1 2011-07-13T09:56:00+02:00 agrdevel2 exim-out 25651 - [meta
sequenceId="4"] 2011-07-13 09:56:00 End queue run: pid=25651
Ok, this is the new RFC format.
Unfortunately, in both cases the result is the same. It looks to me like
the imuxsock plugin fails to correctly handle the incoming message
format; date stamps are duplicated, and the fields which are supposed to
contain application name and pid only contain dashes.
do you have an example of the output that's the problem?
personally, I would use networking over localhost for multiple syslog
daemons on the same box to talk to each other.
David Lang
Is there anything I failed to configure correctly, or is this a bug in the
imuxsock plugin? Is there a better way to hook up a local syslog-ng to a
local rsyslog?
Best regards,
Andreas Grosse
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
