On Mon, 2013-03-18 at 17:00 +0200, [email protected] wrote: > Hello, > > I am forwarding my logs and on the receiving end noticed malformed > anacron events: > Mar 18 16:32:55 c01 run-parts(/etc/cron.hourly)[1592 starting 0anacron > > when original looks like > Mar 18 16:32:55 c01 run-parts(/etc/cron.hourly)[15920]: starting 0anacron > > It seems rsyslog is cutting a portion of log when forwarding: > 16:32:55.355467 IP6 ::1.49052 > ::1.5000: UDP, length 74 > `[email protected](.<77>Mar 18 16:32:55 c01 > run-parts(/etc/cron.hourly)[1592 starting 0anacron > > Now, RFC 3164 states (4.1.3) that MSG part of a syslog message contains > TAG and CONTENT fields like this: > > .. noc-ik run-parts(/etc/cron.hourly)[28993]: starting 0anacron > .. ^ ^ > .. | TAG | CONTENT | > .. | MSG | > > * The TAG is a string of ABNF alphanumeric characters that MUST NOT > exceed 32 characters. > * Any non-alphanumeric character will terminate the TAG field and > will be assumed to be the starting character of the CONTENT field. > > You may notice, that "run-parts(/etc/cron.hourly)[1592" is exactly 32 > characters. I at a loss why rsyslog truncates like that, and if it is an > anacron bug, or rsyslog forwarding bug. > > CentOS 6.4, rsyslog-5.8.10-2.el6.x86_64, cronie-anacron-1.4.4-7.el6.x86_64. > anacron can be invoked with > # run-parts /etc/cron.hourly
Does this also happen with the currently supported stable version (7.2.6)? Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
