On 04.04.2014 14:43, Rainer Gerhards wrote:
I am CC'ing the rsyslog mailing list as the issue is more related the
rsyslog and syslog in general. I suggest to subscribe in order to
receive follow-ups.
Subscribed :)
I think the problem you see is based on the fact that RFC3164 - which is
used to parse these types of messages - specifies that everything after
the TAG is the message. Usually, messages have "TAG: mm", note the space
before mm. This is where it stems from.
"sensitive information replaced"
Ok, on client with rsyslog v5 imfile writes to local5 and here is the
line in local5.log:
Mar 25 13:28:10 hostname apache-access: 123.456.789.000 - -
[25/Mar/2014:12:40:29 +0100]...
On server with rsyslog v7, his own apache logs with imfile are writen to
local5 and the line is:
Apr 4 14:48:51 central apache-access: 111.222.333.444 - -
[04/Apr/2014:14:48:50 +0200]...
You can see that space is present in both log. But when writing rules
and templates, somehow the central rsyslog registers a space in msg
property from this incoming logs but does not take space from msg
property when reading local logs witch are fetched with imfile...
Btw clients are CentOS 6 and Debian 7 with rsyslog v5 and central
rsyslog is Centos 6 with rsyslog v7 stable...
In regard to lognorm rules, you can simply duplicate the entries with
and without a space in front. It's a bit ugly, but a work-around you can
use right now.
If this is normal and is not a bug I allready have two rules and
templates, one for incoming logs and one for central server local apache
logs so I have a workaround :)
With regards,
Davor Saric
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
