On Fri, Apr 4, 2014 at 3:08 PM, Davor Saric <[email protected]> wrote:
> On 04.04.2014 14:43, Rainer Gerhards wrote: > >> I am CC'ing the rsyslog mailing list as the issue is more related the >> rsyslog and syslog in general. I suggest to subscribe in order to >> receive follow-ups. >> > > Subscribed :) > > > I think the problem you see is based on the fact that RFC3164 - which is >> used to parse these types of messages - specifies that everything after >> the TAG is the message. Usually, messages have "TAG: mm", note the space >> before mm. This is where it stems from. >> > > "sensitive information replaced" > > Ok, on client with rsyslog v5 imfile writes to local5 and here is the line > in local5.log: > > Mar 25 13:28:10 hostname apache-access: 123.456.789.000 - - > [25/Mar/2014:12:40:29 +0100]... > > On server with rsyslog v7, his own apache logs with imfile are writen to > local5 and the line is: > Apr 4 14:48:51 central apache-access: 111.222.333.444 - - > [04/Apr/2014:14:48:50 +0200]... > > You can see that space is present in both log. But when writing rules and > templates, somehow the central rsyslog registers a space in msg property > from this incoming logs but does not take space from msg property when > reading local logs witch are fetched with imfile... > > That's because the omfile default template inserts the space if it is not there. > Btw clients are CentOS 6 and Debian 7 with rsyslog v5 and central rsyslog > is Centos 6 with rsyslog v7 stable... > > > In regard to lognorm rules, you can simply duplicate the entries with >> and without a space in front. It's a bit ugly, but a work-around you can >> use right now. >> > > If this is normal and is not a bug I allready have two rules and > templates, one for incoming logs and one for central server local apache > logs so I have a workaround :) > No, its not a bug, but it's still ugly. I always wanted to add an option to specify a template to be used for mmnormalize (where you could fix these things), but it does not play well with the message modification module interface, and so this change actually would be a couple of magnitudes larger than you'd usually expect. Given the mile-long todo list, this hasn't happened yet and probably will not in the forseable future :-( Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
