> >>>>>Or maybe rsyslog supposes that all messages have some sort of date/time
> >>>>>at the start, so that it can't start with letter 'z'?
> >>>>>
> >>>
> >>>>Yup - valid syslog messages NEED to start with "<" (actually <PRI>). See
> >>>>RFC5424 & RFC3164.
> >>>
> >>>Oh, right! Out of your head, do you think that _not_ starting by '<'
> >>>could do any other bad things?
> >>>
> >>>Thanks for the pointer!
> >>>
> >>
> >>quite a lot, because very often it is filtered based on priorities (like
> >>mail.info /maillog). Rsyslog defaults to some values if it's not present,
> >>but that's usually not what you expect.
> >
> >Right. I'll investigate why I am getting the malformed syslog message
> >then.
>
> It's actually _very_ common for things to send malformed messages, missing
> the PRI, missing the timestamp, missing the hostname, or all of the above.
>
> Rsyslog has a series of heuristics to try and do the 'right' thing when it
> gets such messages, but it's guessing, and it's guesses are not always
> right.
Ah, ok, that is new area for me. Are there any other heuristic apart
from "beginning by 'z'"? I guess that messages starting with 'z' will be
quite frequent on Solaris, because of 'zfs' and 'zpool'...
--
Vlad
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
