Re: [rsyslog] Parsing msg

Thu, 01 Nov 2012 16:59:34 -0700 

On Thu, 1 Nov 2012, Philippe Muller wrote:


Proper stack trace handling is very interesting !

"Note that the code has never been used in practice by us, so there may be
some risk associated"

Did someone use it in production since it was released ?
I've seen several comments about people using it on the list since it was released (which was quite a while ago) 

David Lang


Philippe Muller


On Thu, Nov 1, 2012 at 6:48 PM, <[email protected]> wrote:


On Thu, 1 Nov 2012, Rainer Gerhards wrote:

 I am using the Apache SyslogAppender to send the log lines via UDP to

the local rsyslog server.



That appender is seriously broken, there have been lots of discussion on
this topic --> see mailing list archive.



see http://www.rsyslog.com/tag/**log4j/<http://www.rsyslog.com/tag/log4j/>for a 
replacement that talks TCP, but works much better.

David Lang





log4j.appender.SYSLOG=org.**apache.log4j.net.**SyslogAppender
log4j.appender.SYSLOG.**syslogHost=localhost
log4j.appender.SYSLOG.**facility=LOCAL7
...

So what's not standard in that message? I just need to know what's
wrong so I can fix my configuration.



Please see: 
http://www.rsyslog.com/doc/**syslog_parsing.html<http://www.rsyslog.com/doc/syslog_parsing.html>

Rainer



The log line is just plain text with fields separated by tabs.

/Flavio

 From: [email protected]

Date: Thu, 1 Nov 2012 09:31:36 +0100
To: [email protected]
Subject: Re: [rsyslog] Parsing msg

I guess he meant "rsyslog only have parsers for standard syslog


message


formats" :-)


Philippe Muller


On Thu, Nov 1, 2012 at 9:19 AM, Flavio Oliveira <[email protected]>


wrote:





Hi,

I used a text file with fields separed for tabs and sent the lines


to



rsyslog via UDP.


What did you mean for "it is not a valid syslog format"?

//Flavio

 From: [email protected]

To: [email protected]
Date: Wed, 31 Oct 2012 16:38:14 +0000
Subject: Re: [rsyslog] Parsing msg



 -----Original Message-----

From: 
[email protected].**com<[email protected]>[mailto:
rsyslog-
[email protected]] On Behalf Of Flavio Oliveira
Sent: Wednesday, October 31, 2012 2:44 PM
To: [email protected]
Subject: Re: [rsyslog] Parsing msg


Hi,

The position based parser worked. However only if I use a


imfile module



 .. if I use a imudp ... something odd happens with the msg when



I try



 to send ...

See trace below ... we can see the time "13:56:13" in the


received msg



 and everything goes okay with it until send the message ...


8173.946100404:7f7ca971e700: imudp: epoll_wait() returned with


1 fds



 8173.946115431:7f7ca971e700: recv(3,193),acl:1,msg:<190>**2012-



10-31



 13:56:13 ...




In any case, this is no valid syslog format, so you need to write


a



parser for that specific format.




Rainer


...
8173.946129291:7f7ca971e700: main Q: entry added, size now log


1, phys



 1 entries

8173.946136184:7f7ca971e700: main Q: EnqueueMsg advised worker


start



 8173.946144005:7f7ca871c700: wti 0x1898b30: worker awoke from



idle



 processing

8173.946149585:7f7ca871c700: we deleted 0 objects and enqueued


0



 objects

8173.946152426:7f7ca871c700: delete batch from store, new


sizes: log 1,



 phys 1

8173.946157217:7f7ca871c700: msg parser: flags 70, from
'~NOTRESOLVED~', msg '<190>2012-10-31   13:56:13
...

8173.946313962:7f7ca871c700: relp session read 16 octets, buf


'30 rsp 6



 200 OK'

8173.946318863:7f7ca871c700: relp engine is dispatching frame


with



 command 'rsp'

8173.946322371:7f7ca871c700: in rsp command handler, txnr 30,


code 200,



 text 'OK'

8173.946325437:7f7ca871c700: DEL sess 0x7f7c98000b60 unacked 0,
sessState 4
8173.946328020:7f7ca871c700: in destructor: sendbuf


0x7f7c98000f40



 8173.946330805:7f7ca871c700: relpSessWaitState returns 0

8173.946333164:7f7ca871c700: send command relp sess state 4
8173.946335257:7f7ca871c700: sendcommand ready to send, relp


sess state



 4

8173.946339361:7f7ca871c700: frame to send: '31 syslog 236


<190>2012-



 10-31T13:56:13.946118+01:00 nvezes-ds1 2012-10-31   13: 56:13



...



 ...



the msg format is broken .. see the the time now (13: 56:13)


...





I noticed that it happens when I use the imudp module ... it


doesn't



 happen with the imfile module.


Do you have any idea what caused this behaviour?

Very basic conf file used to test:

$ModLoad omrelp.so
$ModLoad imudp.so
$ModLoad imuxsock.so

*.* :omrelp:xx.xx.xx.xx:514

$UDPServerRun 514

$**EscapeControlCharactersOnRecei**ve off

//Flavio

 From: [email protected]

To: [email protected]
Date: Tue, 30 Oct 2012 16:39:46 +0000
Subject: Re: [rsyslog] Parsing msg

Oops,hit return too quickly...


If I need more than one

field (Positions 3, 5 and 6), I just need to do something


like



 %msg:F:3:5:6%?



%msg:F:3%%msg:F:5%%msg:F:6%


Rainer
______________________________**_________________
rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED


by a



 myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO



NOT POST



 if you DON'T LIKE THAT.


______________________________**_________________
rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by


a



 myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO



NOT POST



 if you DON'T LIKE THAT.



______________________________**_________________
rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a


myriad



of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if



you



DON'T LIKE THAT.


______________________________**_________________
rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a


myriad



of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if



you



DON'T LIKE THAT.


 ______________________________**_________________

rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a


myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.

______________________________**_________________
rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.


______________________________**_________________
rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.

 ______________________________**_________________

rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to