The default template use this:

property(name="syslogtag" position.from="1" position.to="32")

Source: http://www.rsyslog.com/doc/rsyslog_conf_templates.html




Philippe Muller


On Mon, Mar 18, 2013 at 4:15 PM, Philippe Muller
<[email protected]>wrote:

> The default forwarding template enforces the RFC tag length limitation.
> You use a custom template to prevent the tag truncation :
>
> template(name="ForwardFullTag" type="list") {
>       constant(value="<")
>       property(name="PRI")
>       constant(value="<")
>       property(name="timestamp" dateFormat="rfc3339")
>       constant(value=" ")
>       property(name="hostname")
>       constant(value=" ")
>       property(name="syslogtag")
>       constant(value=" ")
>       property(name="msg" spifno1stsp="on" )
> }
>
>
> On Mon, Mar 18, 2013 at 4:00 PM, [email protected] <[email protected]>wrote:
>
>> Hello,
>>
>> I am forwarding my logs and on the receiving end noticed malformed
>> anacron events:
>> Mar 18 16:32:55 c01 run-parts(/etc/cron.hourly)[**1592 starting 0anacron
>>
>> when original looks like
>> Mar 18 16:32:55 c01 run-parts(/etc/cron.hourly)[**15920]: starting
>> 0anacron
>>
>> It seems rsyslog is cutting a portion of log when forwarding:
>> 16:32:55.355467 IP6 ::1.49052 > ::1.5000: UDP, length 74
>> `....R.@......................**...............R(.<77>Mar 18 16:32:55
>> c01 run-parts(/etc/cron.hourly)[**1592 starting 0anacron
>>
>> Now, RFC 3164 states (4.1.3) that MSG part of a syslog message contains
>> TAG and CONTENT fields like this:
>>
>> .. noc-ik run-parts(/etc/cron.hourly)[**28993]: starting 0anacron
>> ..        ^                                                   ^
>> ..        |  TAG   |             CONTENT                      |
>> ..        |                      MSG                          |
>>
>>   * The TAG is a string of ABNF alphanumeric characters that MUST NOT
>> exceed 32 characters.
>>   * Any non-alphanumeric character will terminate the TAG field and will
>> be assumed to be the starting character of the CONTENT field.
>>
>> You may notice, that "run-parts(/etc/cron.hourly)[**1592" is exactly 32
>> characters. I at a loss why rsyslog truncates like that, and if it is an
>> anacron bug, or rsyslog forwarding bug.
>>
>> CentOS 6.4, rsyslog-5.8.10-2.el6.x86_64, cronie-anacron-1.4.4-7.el6.**
>> x86_64.
>> anacron can be invoked with
>> # run-parts /etc/cron.hourly
>>
>> --
>> Thank you,
>> Ignas K.
>> ______________________________**_________________
>> rsyslog mailing list
>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to