Re: [rsyslog] forwarding malformated syslog messages.

Wed, 27 Jul 2011 00:56:31 -0700

I finally got it working by using a modified version of the default forwarding template:
/$template buggyMirapointSyslogtag, "<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag% %msg%" / 


Initially I used the '/sp-if-no-1st-sp/' options as shown in the default 
template but removed it as it produced really weired behaviour.
As I use this template only for messages from mirapoint boxes, I 
supposed it is not that important... Am I right?


regards.

Le 27/07/2011 07:24, Rainer Gerhards a écrit :

Depending on the neeeds, it may be sufficient to use %rawmsg% for
forwarding...

Rainer


-----Original Message-----
From: [email protected] [mailto:rsyslog-
[email protected]] On Behalf Of [email protected]
Sent: Wednesday, July 27, 2011 2:47 AM
To: rsyslog-users
Subject: Re: [rsyslog] forwarding malformated syslog messages.

I don't think there's anything that can be done in the templates to fix
this, but I think that it would not be that hard to create a parser
module
that would clean things up.

David Lang

   On Tue, 26 Jul 2011, Alexandre Chapellon
wrote:


Hello,

I have to relay syslog messages from some locked-up/proprietary boxes
(Mirapoint mail servers). To achieve this I am using rsyslog from the

debian

squeeze packages: rsyslogd 4.6.4.
Messages are sent by the boxes using UDP protocol (no choice here),

and must

be relayed to a "home server" using RELP.
My problem is that messages from the boxes are fairly malformed. The
syslog-tag field largely exceed the 32 chars defined in the RFC 3164

(i did

not checked if this has been updated), and so I belive they just

started the

put the MSG in the syslog TAG field.
As a consequence, when forwarding thoose ugly messages, rsyslogd

truncate the

syslogtag (which is in fact the message itself) to fit in 32 char

field.

Does newer version of rsyslog would handle thoose kind of messages?
Is there any way to use template to properly "re-construct" the

mesages prior

to forwarding?

If you want to deeper look at it, I attached 2 dumps of such packets.

First

one (mirapoint.pcap) is the yslog packet as sent by the boxes, second

one

(rsyslog.pcap) is the message as forwarded to "home server" by

rsyslog.



_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com


--
<http://www.horoa.net>

<<attachment: a_chapellon.vcf>>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com






















					Reply via email to