> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of [email protected] > Sent: Tuesday, March 19, 2013 9:01 AM > To: [email protected] > Subject: Re: [rsyslog] strange truncate on forward > > Thank you Rainer and Philippe for quick tests and answers. > > But one more thing, if you allow: why do you say that "run- > parts(/etc/cron.hourly)[15920]:" is a tag and it should be truncated? > > Only "run-parts" is a tag, because, as per RFC, "Any non-alphanumeric > character will terminate the TAG field and will be assumed to be the starting > character of the CONTENT field." The first non-alphanumeric here is "(". It > ends the TAG field, and starts CONTENT field, which can be arbitrary lenght. > > When the event is: > Mar 18 13:01:01 noc-ik run-parts(/etc/cron.hourly)[25016]: starting 0anacron > > "run-parts(/etc/cron.hourly)[25016]: starting 0anacron" is MESSAGE. > where "run-parts" is TAG (<32) > and "(/etc/cron.hourly)[25016]: starting 0anacron" is CONTENT. > > Sorry for picking at, just thought I failed to explain my point in the first > message :) It may be I just misunderstand something...
Well, yes... but: RFC3164 is only informational and does specify what was seen on the wire. If we follow the advise on non-alphanumeric characters, the user experience for the typical Linux user will be disastrous -- almost everyone expects the pid (if present) to be part of the TAG. So we "override" the informational RFC by common knowledge in that case. HOWEVER, the 32 character limitation sounds very reasonable, so we keep it as default. Note that there are a lot of other heuristics in place to understand real-world syslog messages correctly. If you look for a normative standard, you need to look at RFC5424. Unfortunately, the current Linux syslog() implementation does not support that. Hope that clarifies, Rainer > > Thank you, > Ignas K. > > > On 2013.03.18 23:03, Rainer Gerhards wrote: > > My mail server is a bit sluggish today, makes my comments a bit out of > > sync. ;-) > > > > Truncation after char 32 is absolutely correct. > > > > Rainer > > > > > > > > Sent from phone, thus brief. > > > > > > > > -------- Ursprüngliche Nachricht -------- > > Von: Philippe Muller <[email protected]> > > Datum: 18.03.2013 21:32 (GMT+01:00) > > An: rsyslog-users <[email protected]> > > Betreff: Re: [rsyslog] strange truncate on forward > > > > > > I quickly tested on 7.2.6 using RELP : yes, the default forwarding > > template still truncates at 32 chars. > > > > Philippe Muller > > > > > > On Mon, Mar 18, 2013 at 4:58 PM, Rainer Gerhards > > <[email protected]>wrote: > > > >> On Mon, 2013-03-18 at 17:00 +0200, [email protected] wrote: > >>> Hello, > >>> > >>> I am forwarding my logs and on the receiving end noticed malformed > >>> anacron events: > >>> Mar 18 16:32:55 c01 run-parts(/etc/cron.hourly)[1592 starting > >>> 0anacron > >>> > >>> when original looks like > >>> Mar 18 16:32:55 c01 run-parts(/etc/cron.hourly)[15920]: starting > >>> 0anacron > >>> > >>> It seems rsyslog is cutting a portion of log when forwarding: > >>> 16:32:55.355467 IP6 ::1.49052 > ::1.5000: UDP, length 74 > >>> `[email protected](.<77>Mar 18 16:32:55 > >>> c01 > >>> run-parts(/etc/cron.hourly)[1592 starting 0anacron > >>> > >>> Now, RFC 3164 states (4.1.3) that MSG part of a syslog message > >>> contains TAG and CONTENT fields like this: > >>> > >>> .. noc-ik run-parts(/etc/cron.hourly)[28993]: starting 0anacron > >>> .. ^ ^ > >>> .. | TAG | CONTENT | > >>> .. | MSG | > >>> > >>> * The TAG is a string of ABNF alphanumeric characters that MUST > >>> NOT exceed 32 characters. > >>> * Any non-alphanumeric character will terminate the TAG field > >>> and will be assumed to be the starting character of the CONTENT field. > >>> > >>> You may notice, that "run-parts(/etc/cron.hourly)[1592" is exactly > >>> 32 characters. I at a loss why rsyslog truncates like that, and if > >>> it is an anacron bug, or rsyslog forwarding bug. > >>> > >>> CentOS 6.4, rsyslog-5.8.10-2.el6.x86_64, > >> cronie-anacron-1.4.4-7.el6.x86_64. > >>> anacron can be invoked with > >>> # run-parts /etc/cron.hourly > >> > >> Does this also happen with the currently supported stable version > >> (7.2.6)? > >> > >> Rainer > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > >> you DON'T LIKE THAT. > >> > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
