It would be best to have samples of the actual incoming traffic captured. Do so when using octet-counted framing (if there are \n inside the message, it won't work with traditional framing, see http://tools.ietf.org/html/rfc6587 - so debugging this would be a no-brainer ;)).
Rainer On Sat, Sep 7, 2013 at 7:00 AM, Jeremy Hoel <[email protected]> wrote: > I will post a few when I get to the office Monday. > > It case it rings any bells about a previous problem, these are > Foundstone CounterAct logs.. > > On Fri, Sep 6, 2013 at 10:58 PM, David Lang <[email protected]> wrote: > > do you have any examples you can show us? > > > > David Lang > > > > > > On Fri, 6 Sep 2013, Jeremy Hoel wrote: > > > >> I've got 64K set for both ends. And I've also tried forwarding via > >> tcp with and without octet-counted' and that didn't seem to help > >> either. > >> > >> On Fri, Sep 6, 2013 at 10:47 PM, David Lang <[email protected]> wrote: > >>> > >>> try changing the max log size parameter on both ends. Depending on what > >>> versions you are running, the default size is either 1k or 2k, messages > >>> longer than that get broken into multiple messages. > >>> > >>> David Lang > >>> > >>> On Sat, 7 Sep 2013, Jeremy Hoel wrote: > >>> > >>>> Date: Sat, 7 Sep 2013 00:09:46 +0000 > >>>> From: Jeremy Hoel <[email protected]> > >>>> Reply-To: rsyslog-users <[email protected]> > >>>> To: [email protected] > >>>> Subject: [rsyslog] issue with line breaks and templates. > >>>> > >>>> > >>>> I have some logs going to one rsyslog server (srvA) and they get > >>>> written to disk, then some messages get stopped and then the remaining > >>>> ones get forwarded to srvB. Some messages get really large with a lot > >>>> of text after "Reason: ".. so I filter things before and to Reason and > >>>> put that in a template > >>>> > >>>> on srvB I have the following: > >>>> > >>>> ---- ca.conf---- > >>>> $Template clean,"%msg:R,ERE,0,FIELD:^.*Reason\:--end%" > >>>> template (name="calogs" type="string" > >>>> string="/opt/syslogs/CA/%hostname%") > >>>> ruleset(name="ca"){ > >>>> # action(type="omfile" DirCreateMode="0755" FileCreateMode="0644" > >>>> dynafile="calogs" template="clean") > >>>> action(type="omfile" DirCreateMode="0755" FileCreateMode="0644" > >>>> dynafile="calogs") > >>>> } > >>>> > >>>> input(type="imudp" port="10517" ruleset="ca") > >>>> ---- ca.conf---- > >>>> > >>>> When I do not have the template enabled, messages come in, but the > >>>> large ones get broken up and end up in multiple files based on the > >>>> next word after the break. When I have the template enabled the > >>>> messages come in and the part after 'Reason:' gets dropped, but then > >>>> the next message starts right after, merged onto the same message > >>>> line. > >>>> > >>>> I tried having a \n at the end of the line and that didn't seem to > help > >>>> either. > >>>> > >>>> Any ideas or is there a better way to approach the problem? > >>>> _______________________________________________ > >>>> rsyslog mailing list > >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>> http://www.rsyslog.com/professional-services/ > >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >>>> DON'T > >>>> LIKE THAT. > >>>> > >>> _______________________________________________ > >>> rsyslog mailing list > >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>> http://www.rsyslog.com/professional-services/ > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > >>> of > >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T > >>> LIKE THAT. > >> > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T > >> LIKE THAT. > >> > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
