The default template use this: property(name="syslogtag" position.from="1" position.to="32")
Source: http://www.rsyslog.com/doc/rsyslog_conf_templates.html Philippe Muller On Mon, Mar 18, 2013 at 4:15 PM, Philippe Muller <[email protected]>wrote: > The default forwarding template enforces the RFC tag length limitation. > You use a custom template to prevent the tag truncation : > > template(name="ForwardFullTag" type="list") { > constant(value="<") > property(name="PRI") > constant(value="<") > property(name="timestamp" dateFormat="rfc3339") > constant(value=" ") > property(name="hostname") > constant(value=" ") > property(name="syslogtag") > constant(value=" ") > property(name="msg" spifno1stsp="on" ) > } > > > On Mon, Mar 18, 2013 at 4:00 PM, [email protected] <[email protected]>wrote: > >> Hello, >> >> I am forwarding my logs and on the receiving end noticed malformed >> anacron events: >> Mar 18 16:32:55 c01 run-parts(/etc/cron.hourly)[**1592 starting 0anacron >> >> when original looks like >> Mar 18 16:32:55 c01 run-parts(/etc/cron.hourly)[**15920]: starting >> 0anacron >> >> It seems rsyslog is cutting a portion of log when forwarding: >> 16:32:55.355467 IP6 ::1.49052 > ::1.5000: UDP, length 74 >> `....R.@......................**...............R(.<77>Mar 18 16:32:55 >> c01 run-parts(/etc/cron.hourly)[**1592 starting 0anacron >> >> Now, RFC 3164 states (4.1.3) that MSG part of a syslog message contains >> TAG and CONTENT fields like this: >> >> .. noc-ik run-parts(/etc/cron.hourly)[**28993]: starting 0anacron >> .. ^ ^ >> .. | TAG | CONTENT | >> .. | MSG | >> >> * The TAG is a string of ABNF alphanumeric characters that MUST NOT >> exceed 32 characters. >> * Any non-alphanumeric character will terminate the TAG field and will >> be assumed to be the starting character of the CONTENT field. >> >> You may notice, that "run-parts(/etc/cron.hourly)[**1592" is exactly 32 >> characters. I at a loss why rsyslog truncates like that, and if it is an >> anacron bug, or rsyslog forwarding bug. >> >> CentOS 6.4, rsyslog-5.8.10-2.el6.x86_64, cronie-anacron-1.4.4-7.el6.** >> x86_64. >> anacron can be invoked with >> # run-parts /etc/cron.hourly >> >> -- >> Thank you, >> Ignas K. >> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
