On Wed, Oct 16, 2013 at 8:28 PM, Xuri Nagarin <[email protected]> wrote:
> Hi, > > I copied the forwarding template from > http://www.rsyslog.com/doc/rsyslog_conf_templates.html > > template(name="ForwardFormat" type="list") { > constant(value="<") > property(name="PRI") > constant(value="<") > property(name="timestamp" dateFormat="rfc3339") > constant(value=" ") > property(name="hostname") > constant(value=" ") > property(name="syslogtag" position.from="1" position.to="32") > constant(value=" ") > property(name="msg" spifno1stsp="on" ) > } > > > First, I think there are two errors in this example. "PRI" throws an > error of invalid property. The correct property name is "pri" in > lower-case, as I have tested with 7.4.4 on RHEL6.2. Second, shouldn't > the second constant value be ">" and not "<" so "pri" is enclosed > within "<>"? > > Thanks, I have just corrected this. "<>" is correct. PRI should be case-sensitive, I have updated the doc for now but will check with the code later. As I have seen, the rest of the questions is solved. Rainer > Now the issues I have are: > > 1. The receiving flume agent cannot parse the timestamp and reports it > as null. Even if I remove the "dateFormat" modifier, flume isn't able > to read the event's time-stamp. If I take the template off altogether, > things are fine. > > 2. When I do a tcpdump of the packets being send by rsyslog to flume, > the events are stripped of "msg". > > *packet dump:* > > 18:17:15.014583 IP 127.0.0.1.48187 > 127.0.0.1.5183: Flags [P.], seq > 15863:17249, ack 1, win 33, options [nop,nop,TS val 1742781195 ecr > 1742781194], length 1386 > E...^.@[email protected].........;.?..#..f.u...!....... > g...g.. > <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[29339]: > <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]: > <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]: > <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]: > <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]: > <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]: > <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[29339]: > <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[17482]: > <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]: > <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]: > <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]: > <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[17485]: > <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]: > <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[22165]: > <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[17487]: > <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[17488]: > <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[29339]: > <38>2013-10-16T18:16:11+00:00 hostname.fqdn.com tac_plus[29339]: > > > TIA, > > Xuri > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
