[rsyslog] Event truncation and timestamp corruption with omfwd template

Wed, 16 Oct 2013 11:28:20 -0700 

Hi,

I copied the forwarding template from
http://www.rsyslog.com/doc/rsyslog_conf_templates.html

template(name="ForwardFormat" type="list") {
        constant(value="<")
        property(name="PRI")
        constant(value="<")
        property(name="timestamp" dateFormat="rfc3339")
        constant(value=" ")
        property(name="hostname")
        constant(value=" ")
        property(name="syslogtag" position.from="1" position.to="32")
        constant(value=" ")
        property(name="msg" spifno1stsp="on" )
        }


First, I think there are two errors in this example. "PRI" throws an
error of invalid property. The correct property name is "pri" in
lower-case, as I have tested with 7.4.4 on RHEL6.2. Second, shouldn't
the second constant value be ">" and not "<" so "pri" is enclosed
within "<>"?

Now the issues I have are:

1. The receiving flume agent cannot parse the timestamp and reports it
as null. Even if I remove the "dateFormat" modifier, flume isn't able
to read the event's time-stamp. If I take the template off altogether,
things are fine.

2. When I do a tcpdump of the packets being send by rsyslog to flume,
the events are stripped of "msg".

*packet dump:*

18:17:15.014583 IP 127.0.0.1.48187 > 127.0.0.1.5183: Flags [P.], seq
15863:17249, ack 1, win 33, options [nop,nop,TS val 1742781195 ecr
1742781194], length 1386
E...^.@[email protected].........;.?..#..f.u...!.......
g...g..
<38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[29339]:
<38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]:
<38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]:
<38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]:
<38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]:
<38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]:
<38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[29339]:
<38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[17482]:
<38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]:
<38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]:
<38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]:
<38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[17485]:
<38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]:
<38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]:
<38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[17487]:
<38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[17488]:
<38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[29339]:
<38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[29339]:


TIA,

Xuri
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to