Understood. Thank you both for clarification :)
Ignas K.
On 2013.03.19 10:12, David Lang wrote:
On Tue, 19 Mar 2013, [email protected] wrote:
Thank you Rainer and Philippe for quick tests and answers.
But one more thing, if you allow: why do you say that
"run-parts(/etc/cron.hourly)[15920]:" is a tag and it should be
truncated?
Only "run-parts" is a tag, because, as per RFC, "Any non-alphanumeric
character will terminate the TAG field and will be assumed to be the
starting character of the CONTENT field." The first non-alphanumeric
here is "(". It ends the TAG field, and starts CONTENT field, which
can be arbitrary lenght.
actually, the first non-alphanumeric is '-', so by your logic the TAG
would be 'run'
When the event is:
Mar 18 13:01:01 noc-ik run-parts(/etc/cron.hourly)[25016]: starting
0anacron
"run-parts(/etc/cron.hourly)[25016]: starting 0anacron" is MESSAGE.
where "run-parts" is TAG (<32)
and "(/etc/cron.hourly)[25016]: starting 0anacron" is CONTENT.
Sorry for picking at, just thought I failed to explain my point in the
first message :) It may be I just misunderstand something...
that doesn't match the way programs work in the real world. There are a
HUGE number of programs that log with non-alphanumeric characters in the
tag.
Just about everything puts [PID] in the name, and they expect that to be
part of the syslog tag, not the message.
David Lang
Thank you,
Ignas K.
On 2013.03.18 23:03, Rainer Gerhards wrote:
My mail server is a bit sluggish today, makes my comments a bit out of
sync. ;-)
Truncation after char 32 is absolutely correct.
Rainer
Sent from phone, thus brief.
-------- Ursprüngliche Nachricht --------
Von: Philippe Muller <[email protected]>
Datum: 18.03.2013 21:32 (GMT+01:00)
An: rsyslog-users <[email protected]>
Betreff: Re: [rsyslog] strange truncate on forward
I quickly tested on 7.2.6 using RELP : yes, the default forwarding
template
still truncates at 32 chars.
Philippe Muller
On Mon, Mar 18, 2013 at 4:58 PM, Rainer Gerhards
<[email protected]>wrote:
On Mon, 2013-03-18 at 17:00 +0200, [email protected] wrote:
Hello,
I am forwarding my logs and on the receiving end noticed malformed
anacron events:
Mar 18 16:32:55 c01 run-parts(/etc/cron.hourly)[1592 starting 0anacron
when original looks like
Mar 18 16:32:55 c01 run-parts(/etc/cron.hourly)[15920]: starting
0anacron
It seems rsyslog is cutting a portion of log when forwarding:
16:32:55.355467 IP6 ::1.49052 > ::1.5000: UDP, length 74
`[email protected](.<77>Mar 18 16:32:55
c01
run-parts(/etc/cron.hourly)[1592 starting 0anacron
Now, RFC 3164 states (4.1.3) that MSG part of a syslog message
contains
TAG and CONTENT fields like this:
.. noc-ik run-parts(/etc/cron.hourly)[28993]: starting 0anacron
.. ^ ^
.. | TAG | CONTENT |
.. | MSG |
* The TAG is a string of ABNF alphanumeric characters that MUST
NOT
exceed 32 characters.
* Any non-alphanumeric character will terminate the TAG field and
will be assumed to be the starting character of the CONTENT field.
You may notice, that "run-parts(/etc/cron.hourly)[1592" is exactly 32
characters. I at a loss why rsyslog truncates like that, and if it
is an
anacron bug, or rsyslog forwarding bug.
CentOS 6.4, rsyslog-5.8.10-2.el6.x86_64,
cronie-anacron-1.4.4-7.el6.x86_64.
anacron can be invoked with
# run-parts /etc/cron.hourly
Does this also happen with the currently supported stable version
(7.2.6)?
Rainer
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
