On Sun, Oct 6, 2013 at 6:48 PM, Mauricio Tavares <[email protected]>wrote:
> I told my switch to send its logs to my centralized (r)syslog > server. Now, its log entries look like > > Oct 6 02:14:03 2013-10-06 02: 14:14 10.0.0.3 61565 The switch has > learned a new MAC address bc:5f:f4:54:d7:8d, vid:10, interface:port 1. > > As opposite to > > Oct 5 18:54:45 monkey System SYSTEM:#011User [admin] failed to log in. > > which means I cannot get the *proper* %HOSTNAME% to be used with > > Looks like the original message is improperly formatted. The clean solution to this is to write a message parser for this format: http://www.rsyslog.com/doc/syslog_parsing.html It's usually a very quick thing to do. If you are not literate in C, we can write one for you for a small fee. Rainer > $template > DailyPerHostLogs,"/var/log/syslog/%HOSTNAME%/messages_%$YEAR%-%$MONTH%-%$DAY%.log" > > i.e., it thinks 2013-10-06 is the hostname. Since I cannot edit the > way the log is being spit out by the switch, is there any kind of > postprocessing I can do at the syslog server side? > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
