On Sun, 6 Oct 2013, Mauricio Tavares wrote:
I told my switch to send its logs to my centralized (r)syslog
server. Now, its log entries look like
Oct 6 02:14:03 2013-10-06 02: 14:14 10.0.0.3 61565 The switch has
learned a new MAC address bc:5f:f4:54:d7:8d, vid:10, interface:port 1.
As opposite to
Oct 5 18:54:45 monkey System SYSTEM:#011User [admin] failed to log in.
which means I cannot get the *proper* %HOSTNAME% to be used with
$template
DailyPerHostLogs,"/var/log/syslog/%HOSTNAME%/messages_%$YEAR%-%$MONTH%-%$DAY%.log"
i.e., it thinks 2013-10-06 is the hostname. Since I cannot edit the
way the log is being spit out by the switch, is there any kind of
postprocessing I can do at the syslog server side?
it looks like there is more wrong than just that, since the timestamp is in
there twice.
what type of switch is this?
could you configure rsyslog to write some logs in the format RSYSLOG_DebugFormat
so that we can see what the raw log that is sent over the wire looks like. I'd
guess that it's sending something like
2013-10-06 02:14:14 10.0.0.3 61565 The switch has learned a new MAC address
bc:5f:f4:54:d7:8d, vid:10, interface:port 1
this has in invalid timestamp format, a number where the syslog tag should be,
and an IP address where it should have a hostname
Yes, you can end up writng a template on your rsyslog server that will clean
this up as it sends it out, but this will be pretty ugly (and therefor slow), I
think a better thing to do would be to write (or pay Adiscon professional
services to write) an input parser module that will detect this and clean it up
as it arrives into rsyslog (so everything ends up in the right variables). You
would need to get a quote from Rainer, but I think they've talked about being in
the range of 500 euros for this sort of thing in the past.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
