Hi, i am seeing a strange problem where syslog messages received from remote get stripped a couple of chars at the front. This seems to happen depending on the source of the message:
Config:
$template DynFile,"/var/log/remote/%fromhost%-%timegenerated:1:10:date-rfc3339%"
$template hostorip,"%TIMESTAMP:::date-rfc3339% %fromhost%
%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
:source , !isequal , "localhost" ?DynFile
:source , !isequal , "localhost" /var/log/remote.log;hostorip
Source A (Redback SE600)
14:51:25.364326 IP (tos 0x0, ttl 63, id 49237, offset 0, flags [none],
proto UDP (17), length 107)
172.30.0.7.63458 > 172.30.16.16.514: SYSLOG, length: 79
Facility local7 (23), Severity info (6)
Msg: Oct 24 14:51:25.351: %CSM-6-PORT: ethernet 2/1 link state
UP, admin is UP\0x0a
2011-10-24T14:51:25.373047+00:00 frnk1-bras1 24 14:51:25.351:
%CSM-6-PORT: ethernet 2/1 link state UP, admin is UP
As one can see the "Oct " is stripped of the beginning of the message. Logging
"rawmsg" shows
the full message including
A different source (Cisco ASR9k):
14:51:34.487744 IP (tos 0x0, ttl 30, id 64430, offset 0, flags [none],
proto UDP (17), length 189)
172.30.0.2.514 > 172.30.16.16.514: SYSLOG, length: 161
Facility local7 (23), Severity info (6)
Msg: 467: LC/0/0/CPU0:Oct 24 14:51:34.476 : bfd_agent[123]:
%L2-BFD-6-SESSION_STATE_UP : BFD session to neighbor 172.30.16.42 on interface
TenGigE0/0/0/6 is up \0x0a
2011-10-24T14:51:34.487834+00:00 frnk1-cr2 467: LC/0/0/CPU0:Oct 24
14:51:34.476 : bfd_agent[123]: %L2-BFD-6-SESSION_STATE_UP : BFD session to
neighbor 172.30.16.42 on interface TenGigE0/0/0/6 is up
Nothing stripped. I dont see anything obvious ....
Flo
--
Florian Lohoff [email protected]
signature.asc
Description: Digital signature
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
