Who writes a syslog processor that strips off hostname and timestamp? https://issues.apache.org/jira/browse/FLUME-1666
Sorry, no issues with rsyslog. Flume's broken. On Wed, Oct 16, 2013 at 12:23 PM, Xuri Nagarin <[email protected]> wrote: > Another obvious error in the example (looking at the legacy format below > the example) - the template should be: > > template(name="fwdform" type="list") { > constant(value="<") > property(name="pri") > constant(value=">") > property(name="timestamp" dateFormat="rfc3339") > constant(value=" ") > property(name="hostname") > constant(value=" ") > property(name="syslogtag" position.from="1" position.to="32") > constant(value=" ") > property(name="msg" spifno1stsp="on" ) > property(name="msg") > } > > Notice the "msg" property at the end? :) > > > > > On Wed, Oct 16, 2013 at 11:28 AM, Xuri Nagarin <[email protected]> wrote: > >> Hi, >> >> I copied the forwarding template from >> http://www.rsyslog.com/doc/rsyslog_conf_templates.html >> >> template(name="ForwardFormat" type="list") { >> constant(value="<") >> property(name="PRI") >> constant(value="<") >> property(name="timestamp" dateFormat="rfc3339") >> constant(value=" ") >> property(name="hostname") >> constant(value=" ") >> property(name="syslogtag" position.from="1" position.to="32") >> constant(value=" ") >> property(name="msg" spifno1stsp="on" ) >> } >> >> >> First, I think there are two errors in this example. "PRI" throws an error >> of invalid property. The correct property name is "pri" in lower-case, as I >> have tested with 7.4.4 on RHEL6.2. Second, shouldn't the second constant >> value be ">" and not "<" so "pri" is enclosed within "<>"? >> >> Now the issues I have are: >> >> 1. The receiving flume agent cannot parse the timestamp and reports it as >> null. Even if I remove the "dateFormat" modifier, flume isn't able to read >> the event's time-stamp. If I take the template off altogether, things are >> fine. >> >> 2. When I do a tcpdump of the packets being send by rsyslog to flume, the >> events are stripped of "msg". >> >> *packet dump:* >> >> 18:17:15.014583 IP 127.0.0.1.48187 > 127.0.0.1.5183: Flags [P.], seq >> 15863:17249, ack 1, win 33, options [nop,nop,TS val 1742781195 ecr >> 1742781194], length 1386 >> E...^.@[email protected].........;.?..#..f.u...!....... >> g...g.. >> <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[29339]: >> <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]: >> <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]: >> <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]: >> <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]: >> <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]: >> <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[29339]: >> <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[17482]: >> <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]: >> <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]: >> <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]: >> <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[17485]: >> <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]: >> <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]: >> <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[17487]: >> <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[17488]: >> <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[29339]: >> <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[29339]: >> >> >> TIA, >> >> Xuri >> >> > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
