Re: [rsyslog] strange truncate on forward

Mon, 18 Mar 2013 09:40:38 -0700 

The default forwarding template enforces the RFC tag length limitation. You
use a custom template to prevent the tag truncation :

template(name="ForwardFullTag" type="list") {
        constant(value="<")
        property(name="PRI")
        constant(value="<")
        property(name="timestamp" dateFormat="rfc3339")
        constant(value=" ")
        property(name="hostname")
        constant(value=" ")
        property(name="syslogtag")
        constant(value=" ")
        property(name="msg" spifno1stsp="on" )
}


On Mon, Mar 18, 2013 at 4:00 PM, [email protected] <[email protected]>wrote:

> Hello,
>
> I am forwarding my logs and on the receiving end noticed malformed anacron
> events:
> Mar 18 16:32:55 c01 run-parts(/etc/cron.hourly)[**1592 starting 0anacron
>
> when original looks like
> Mar 18 16:32:55 c01 run-parts(/etc/cron.hourly)[**15920]: starting
> 0anacron
>
> It seems rsyslog is cutting a portion of log when forwarding:
> 16:32:55.355467 IP6 ::1.49052 > ::1.5000: UDP, length 74
> `....R.@......................**...............R(.<77>Mar 18 16:32:55 c01
> run-parts(/etc/cron.hourly)[**1592 starting 0anacron
>
> Now, RFC 3164 states (4.1.3) that MSG part of a syslog message contains
> TAG and CONTENT fields like this:
>
> .. noc-ik run-parts(/etc/cron.hourly)[**28993]: starting 0anacron
> ..        ^                                                   ^
> ..        |  TAG   |             CONTENT                      |
> ..        |                      MSG                          |
>
>   * The TAG is a string of ABNF alphanumeric characters that MUST NOT
> exceed 32 characters.
>   * Any non-alphanumeric character will terminate the TAG field and will
> be assumed to be the starting character of the CONTENT field.
>
> You may notice, that "run-parts(/etc/cron.hourly)[**1592" is exactly 32
> characters. I at a loss why rsyslog truncates like that, and if it is an
> anacron bug, or rsyslog forwarding bug.
>
> CentOS 6.4, rsyslog-5.8.10-2.el6.x86_64, cronie-anacron-1.4.4-7.el6.**
> x86_64.
> anacron can be invoked with
> # run-parts /etc/cron.hourly
>
> --
> Thank you,
> Ignas K.
> ______________________________**_________________
> rsyslog mailing list
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to