Re: [rsyslog] Uncompression of a message failed with return code -3

Fri, 17 Jan 2014 05:57:06 -0800 

On Fri, Jan 17, 2014 at 2:12 PM, Vladimir Marek
<[email protected]>wrote:

> Hi,
>
> Recently we hit an issue with rsyslog logging the following message:
>
> 2014-01-17T12:33:55.563262+00:00 solaris rsyslogd: Uncompression of a
> message failed with return code -3 - enable debug logging if you need
> further information. Message ignored.
>
> The problem is that rsyslogd tries to uncompress a message which is not
> compressed. The conditions for this seem to be simple:
>
> parser.c:
>   if(lenMsg > 0 && *pszMsg == 'z') {
>     ...
>     ret = uncompress((uchar *) deflateBuf, &iLenDefBuf, (uchar *)
> pszMsg+1, lenMsg-1);
>
>
> When I try to print the message, I can see:
>
> (dbx) print pMsg->pszRawMsg;
> pMsg->pszRawMsg = 0x823b0d540 "zfs: [ID 249136 kern.info] imported
> version 35 pool pool using 35"
>
>
> It seems that all messages starting with 'z' must be compressed. That
> feels a bit strong limitation :) The workaround for us is to disable
> compression completely, but that does not sound to be the proper fix
> either.
>
> Or maybe rsyslog supposes that all messages have some sort of date/time
> at the start, so that it can't start with letter 'z'?
>

Yup - valid syslog messages NEED to start with "<" (actually <PRI>). See
RFC5424 & RFC3164.

Rainer


>
> Please note that we are using version 6.2.0, but I was looking at latest
> 8.1.4 and it seems to be the same.
>
> Thank you
> --
>         Vlad
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to