> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Philippe Muller > Sent: Monday, March 18, 2013 4:17 PM > To: rsyslog-users > Subject: Re: [rsyslog] strange truncate on forward > > The default template use this: > > property(name="syslogtag" position.from="1" position.to="32") > > Source: http://www.rsyslog.com/doc/rsyslog_conf_templates.html I mis-read the message (thought the original message's tag had 32 chars). Philippe is right, the original tag is simply too long.
Rainer > > > > > Philippe Muller > > > On Mon, Mar 18, 2013 at 4:15 PM, Philippe Muller > <[email protected]>wrote: > > > The default forwarding template enforces the RFC tag length limitation. > > You use a custom template to prevent the tag truncation : > > > > template(name="ForwardFullTag" type="list") { > > constant(value="<") > > property(name="PRI") > > constant(value="<") > > property(name="timestamp" dateFormat="rfc3339") > > constant(value=" ") > > property(name="hostname") > > constant(value=" ") > > property(name="syslogtag") > > constant(value=" ") > > property(name="msg" spifno1stsp="on" ) } > > > > > > On Mon, Mar 18, 2013 at 4:00 PM, [email protected] > <[email protected]>wrote: > > > >> Hello, > >> > >> I am forwarding my logs and on the receiving end noticed malformed > >> anacron events: > >> Mar 18 16:32:55 c01 run-parts(/etc/cron.hourly)[**1592 starting 0anacron > >> > >> when original looks like > >> Mar 18 16:32:55 c01 run-parts(/etc/cron.hourly)[**15920]: starting > >> 0anacron > >> > >> It seems rsyslog is cutting a portion of log when forwarding: > >> 16:32:55.355467 IP6 ::1.49052 > ::1.5000: UDP, length 74 > >> `....R.@......................**...............R(.<77>Mar 18 16:32:55 > >> c01 run-parts(/etc/cron.hourly)[**1592 starting 0anacron > >> > >> Now, RFC 3164 states (4.1.3) that MSG part of a syslog message contains > >> TAG and CONTENT fields like this: > >> > >> .. noc-ik run-parts(/etc/cron.hourly)[**28993]: starting 0anacron > >> .. ^ ^ > >> .. | TAG | CONTENT | > >> .. | MSG | > >> > >> * The TAG is a string of ABNF alphanumeric characters that MUST NOT > >> exceed 32 characters. > >> * Any non-alphanumeric character will terminate the TAG field and will > >> be assumed to be the starting character of the CONTENT field. > >> > >> You may notice, that "run-parts(/etc/cron.hourly)[**1592" is exactly 32 > >> characters. I at a loss why rsyslog truncates like that, and if it is an > >> anacron bug, or rsyslog forwarding bug. > >> > >> CentOS 6.4, rsyslog-5.8.10-2.el6.x86_64, cronie-anacron-1.4.4-7.el6.** > >> x86_64. > >> anacron can be invoked with > >> # run-parts /etc/cron.hourly > >> > >> -- > >> Thank you, > >> Ignas K. > >> ______________________________**_________________ > >> rsyslog mailing list > >> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/ > mailman/listinfo/rsyslog> > >> http://www.rsyslog.com/**professional- > services/<http://www.rsyslog.com/professional-services/> > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > you > >> DON'T LIKE THAT. > >> > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

