Re: [rsyslog] Logging 'msg' only

[David Lang]

try

*.* ?DynaFile;RSYSLOG_DefaultFormat

be aware this is a large format, so you don't want to run this way for long

David Lang

On Mon, 14 Apr 2014, Steve Dainard wrote:

Date: Mon, 14 Apr 2014 10:48:01 -0400
From: Steve Dainard <sdain...@miovision.com>

Not generating any significant error messages, just compatibility mode
notices.

If I replace:
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
with a non-existant template (an accidental typo):
$ActionFileDefaultTemplate RSYSLOG_RSYSLOG_DebugFormat
the logs are formatted without the timestamps/hostname, which is ok as a
workaround.

When you mention using the RSYSLOG_DebugFormat, where would I reference
this template? I tried replacing RSYSLOG_TraditionalFileFormat, and the
logging was printing with debugging info, but seeing as I removed the
default logging format it wasn't very helpful.

Is there a method of applying multiple templates in an if statement? Or
inheriting a template from within a template?

Thanks,


*Steve *


On Fri, Apr 11, 2014 at 7:39 PM, David Lang <da...@lang.hm> wrote:

On Fri, 11 Apr 2014, Steve Dainard wrote:

 That's quite a bit of debugging info.

I was mostly meaning for you to look for errors at startup, try doing grep
ERROR on the output and see what happens at startup before any logs are
processed (looking for config parsign errors)


 It looks like there is a difference in how rsyslog determines what is a

message field (properly formatted in my logs):

Ok, the way to see what's happening with the parsing is to log the
messages with the format RSYSLOG_DebugFormat

that will show you the raw log that rsyslog received and the way it filled
out the other variables.

If you can post some samples from the debugformat output it would probably
help a lot.

David Lang

 3285.432866644:7f92d75fe700: main Q: entry added, size now log 114, phys

114 entries
3285.432893131:7f92d75fe700: main Q: MultiEnqObj advised worker start
3285.432930232:7f92ddab0700: wti 0x7f92e1b80910: worker awoke from idle
processing
3285.432953400:7f92ddab0700: we deleted 0 objects and enqueued 0 objects
3285.432969305:7f92ddab0700: delete batch from store, new sizes: log 114,
phys 114
3285.432984921:7f92ddab0700: msg parser: flags 30, from '10.0.250.4', msg
'<191>: Contact: <sip:5555555555@10.0.6.30:5060;transport=tcp'
3285.432991518:7f92ddab0700: parse using parser list 0x7f92e1b56460 (the
default list).
3285.432999864:7f92ddab0700: Parser 'rsyslog.rfc5424' returned -2160
3285.433006130:7f92ddab0700: Message will now be parsed by the legacy
syslog parser (one size fits all... ;)).
3285.433013052:7f92ddab0700: MsgSetTAG in: len 1, pszBuf: :
3285.433017613:7f92ddab0700: MsgSetTAG exit: pMsg->iLenTAG 1,
pMsg->TAG.szBuf: :
3285.433022380:7f92ddab0700: Parser 'rsyslog.rfc3164' returned 0
'285.433027720:7f92ddab0700: msg parser: flags 30, from '10.0.250.4', msg
'<191>: Max-Forwards: 70
3285.433032352:7f92ddab0700: parse using parser list 0x7f92e1b56460 (the
default list).
3285.433037262:7f92ddab0700: Parser 'rsyslog.rfc5424' returned -2160
3285.433053992:7f92ddab0700: Message will now be parsed by the legacy
syslog parser (one size fits all... ;)).
3285.433059286:7f92ddab0700: MsgSetTAG in: len 1, pszBuf: :
3285.433064148:7f92ddab0700: MsgSetTAG exit: pMsg->iLenTAG 1,
pMsg->TAG.szBuf: :
3285.433068913:7f92ddab0700: Parser 'rsyslog.rfc3164' returned 0
'285.433074186:7f92ddab0700: msg parser: flags 30, from '10.0.250.4', msg
'<191>: Content-Length: 0
3285.433078962:7f92ddab0700: parse using parser list 0x7f92e1b56460 (the
default list).
3285.433083934:7f92ddab0700: Parser 'rsyslog.rfc5424' returned -2160
3285.433088123:7f92ddab0700: Message will now be parsed by the legacy
syslog parser (one size fits all... ;)).
3285.433093132:7f92ddab0700: MsgSetTAG in: len 1, pszBuf: :
3285.433097685:7f92ddab0700: MsgSetTAG exit: pMsg->iLenTAG 1,
pMsg->TAG.szBuf: :
3285.433113976:7f92ddab0700: Parser 'rsyslog.rfc3164' returned 0
'285.433118723:7f92ddab0700: msg parser: flags 30, from '10.0.250.4', msg
'<191>:
3285.433123197:7f92ddab0700: parse using parser list 0x7f92e1b56460 (the
default list).
3285.433128085:7f92ddab0700: Parser 'rsyslog.rfc5424' returned -2160
3285.433132516:7f92ddab0700: Message will now be parsed by the legacy
syslog parser (one size fits all... ;)).
3285.433137277:7f92ddab0700: MsgSetTAG in: len 1, pszBuf: :
3285.433141410:7f92ddab0700: MsgSetTAG exit: pMsg->iLenTAG 1,
pMsg->TAG.szBuf: :
3285.433146150:7f92ddab0700: Parser 'rsyslog.rfc3164' returned 0

and what it doesn't determine is a msg field (which is being prefixed with
date/timestamp/hostname in my logs):

4073.163607734:7f92ddab0700: prop repl 4, pRes='
//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:', len 43
4073.163614171:7f92ddab0700: end prop repl, pRes='
//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:', len 43
4073.163623787:7f92ddab0700: prop repl 4, pRes='10.0.250.4', len 10
4073.163628552:7f92ddab0700: end prop repl, pRes='10.0.250.4', len 10
4073.163633195:7f92ddab0700: prop repl 4, pRes=' Received: ', len 11
4073.163637734:7f92ddab0700: end prop repl, pRes=' Received: ', len 11
4073.163642553:7f92ddab0700: prop repl 4, pRes='10.0.250.4', len 10
4073.163647020:7f92ddab0700: end prop repl, pRes='10.0.250.4', len 10
4073.163651759:7f92ddab0700: prop repl 4, pRes=' ACK
sip:6666666666@10.0.250.4:5060 SIP/2.0#015', len 47
4073.163663774:7f92ddab0700: end prop repl, pRes=' ACK
sip:6666666666@10.0.250.4:5060 SIP/2.0#015', len 47
4073.163672584:7f92ddab0700: prop repl 4, pRes='10.0.250.4', len 10
4073.163677163:7f92ddab0700: end prop repl, pRes='10.0.250.4', len 10
4073.163681806:7f92ddab0700: prop repl 4, pRes=' Via: SIP/2.0/TCP
10.0.6.30:5060;branch=z9hG4bK372601ec29d47#015', len 64
4073.163686546:7f92ddab0700: end prop repl, pRes=' Via: SIP/2.0/TCP
10.0.6.30:5060;branch=z9hG4bK372601ec29d47#015', len 64
4073.163691408:7f92ddab0700: prop repl 4, pRes='10.0.250.4', len 10
4073.163695796:7f92ddab0700: end prop repl, pRes='10.0.250.4', len 10
4073.163700475:7f92ddab0700: prop repl 4, pRes=' From: "User Name" <
sip:5555555555@10.0.6.30>;tag=319430~d732e07f-799a-4d2b-
9d6a-ae2aaf54507d-19889579#015',
len 110
4073.163705413:7f92ddab0700: end prop repl, pRes=' From: "User Name" <
sip:5555555555@10.0.6.30>;tag=319430~d732e07f-799a-4d2b-
9d6a-ae2aaf54507d-19889579#015',
len 110

Needless to say, I'm not really sure what this is telling me.



*Steve *


On Fri, Apr 11, 2014 at 3:00 PM, David Lang <da...@lang.hm> wrote:

 try starting rsyslog with -dn to see the startup debug messages. I'll bet

that there's something that it's not happy with in the config syntax and
that's casusing something to fail

one note, you don't need the - everything in rsyslog is async unless you
go to a lot of trouble to force it otherwise.

David Lang

On Fri, 11 Apr 2014, Steve Dainard wrote:

 Date: Fri, 11 Apr 2014 14:31:47 -0400

From: Steve Dainard <sdain...@miovision.com>
Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
To: rsyslog@lists.adiscon.com
Subject: [rsyslog] Logging 'msg' only


Hello list,

I have a couple cisco routers sending sip message debug information to
an
rsyslog server running on Centos 6.5.

I've setup the following template to separate out the logging files:

$template DynaFile,"/var/log/%HOSTNAME%.log"
*.* -?DynaFile

$template MsgFormat,"%msg%\n"

if $fromhost-ip == '10.0.250.4' then -?DynaFile;MsgFormat
if $fromhost-ip == '10.1.1.6' then -?DynaFile;MsgFormat

With these templates the output from the router is formatted as such
(note
date/timestamp/hostname):

Apr 11 14:17:28 10.0.250.4 : //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Apr 11 14:17:28 10.0.250.4 : Received:
Apr 11 14:17:28 10.0.250.4 : INVITE sip:6666666666@10.0.250.4:5060
SIP/2.0#015
Apr 11 14:17:28 10.0.250.4 : Via: SIP/2.0/TCP 10.0.6.30:5060
;branch=z9hG4bK371ba1ab73caa#015
Apr 11 14:17:28 10.0.250.4 : From: "User Name" <
sip:5555555555@10.0.6.30

 ;tag=319318~d732e07f-799a-4d2b-9d6a-ae2aaf54507d-19889474#015

 Apr 11 14:17:28 10.0.250.4 : To: <sip:6666666666@10.0.250.4>#015

Apr 11 14:17:28 10.0.250.4 : Date: Fri, 11 Apr 2014 18:18:12 GMT#015
Apr 11 14:17:28 10.0.250.4 : Call-ID:
a2fdcf80-348131e4-c74f-1e06000a@10.0.6.30#015
Apr 11 14:17:28 10.0.250.4 : Supported: timer,resource-priority,
replaces#015
Apr 11 14:17:28 10.0.250.4 : Min-SE:  1800#015
Apr 11 14:17:28 10.0.250.4 : User-Agent: Cisco-CUCM9.1#015
Apr 11 14:17:28 10.0.250.4 : Allow: INVITE, OPTIONS, INFO, BYE, CANCEL,
ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY#015
Apr 11 14:17:28 10.0.250.4 : CSeq: 101 INVITE#015
Apr 11 14:17:28 10.0.250.4 : Expires: 180#015
Apr 11 14:17:28 10.0.250.4 : Allow-Events: presence#015
Apr 11 14:17:28 10.0.250.4 : Supported:
X-cisco-srtp-fallback,X-cisco-original-called#015
Apr 11 14:17:28 10.0.250.4 : Cisco-Guid:
2734542720-0000065536-0000042552-0503709706#015
Apr 11 14:17:28 10.0.250.4 : Session-Expires:  1800#015
Apr 11 14:17:28 10.0.250.4 : P-Asserted-Identity: "User Name" <
sip:5555555555@10.0.6.30>#015
Apr 11 14:17:28 10.0.250.4 : Remote-Party-ID: "User Name" <
sip:5555555555@10.0.6.30>;party=calling;screen=yes;privacy=off#015
Received:
INVITE sip:6666666666@10.0.250.4:5060 SIP/2.0#015
Via: SIP/2.0/TCP 10.0.6.30:5060;branch=z9hG4bK371ba1ab73caa#015
From: "User Name" <sip:5555555555@10.0.6.30

 ;tag=319318~d732e07f-799a-4d2b-9d6a-ae2aaf54507d-19889474#015

 To: <sip:6666666666@10.0.250.4>#015

Date: Fri, 11 Apr 2014 18:18:12 GMT#015
Call-ID: a2fdcf80-348131e4-c74f-1e06000a@10.0.6.30#015
Supported: timer,resource-priority,replaces#015
Min-SE:  1800#015
User-Agent: Cisco-CUCM9.1#015
Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER,
SUBSCRIBE, NOTIFY#015
CSeq: 101 INVITE#015
Expires: 180#015
Allow-Events: presence#015
Supported: X-cisco-srtp-fallback,X-cisco-original-called#015
Cisco-Guid: 2734542720-0000065536-0000042552-0503709706#015
Session-Expires:  1800#015
P-Asserted-Identity: "User Name" <sip:5555555555@10.0.6.30>#015
Remote-Party-ID: "User Name" <sip:5555555555@10.0.6.30

 ;party=calling;screen=yes;privacy=off#015

 Apr 11 14:17:28 10.0.250.4 : Contact: <sip:5555555555@10.0.6.30:5060

;transport=tcp>#015
Apr 11 14:17:28 10.0.250.4 : Max-Forwards: 70#015
Apr 11 14:17:28 10.0.250.4 : Content-Length: 0#015
Apr 11 14:17:28 10.0.250.4 : #015
Apr 11 14:17:28 10.0.250.4 : //6161/A2FDCF800000/SIP/Msg/
ccsipDisplayMsg:

And I want it to look like this (no date/timestamp/hostname):

//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
INVITE sip:6666666666@10.0.250.4:5060 SIP/2.0#015
Via: SIP/2.0/TCP 10.0.6.30:5060;branch=z9hG4bK371ba1ab73caa#015
From: "User Name" <sip:5555555555@10.0.6.30

 ;tag=319318~d732e07f-799a-4d2b-9d6a-ae2aaf54507d-19889474#015

 To: <sip:6666666666@10.0.250.4>#015

Date: Fri, 11 Apr 2014 18:18:12 GMT#015
Call-ID: a2fdcf80-348131e4-c74f-1e06000a@10.0.6.30#015
Supported: timer,resource-priority,replaces#015
Min-SE:  1800#015
User-Agent: Cisco-CUCM9.1#015
Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER,
SUBSCRIBE, NOTIFY#015
CSeq: 101 INVITE#015
Expires: 180#015
Allow-Events: presence#015
Supported: X-cisco-srtp-fallback,X-cisco-original-called#015
Cisco-Guid: 2734542720-0000065536-0000042552-0503709706#015
Session-Expires:  1800#015
P-Asserted-Identity: "User Name" <sip:5555555555@10.0.6.30>#015
Remote-Party-ID: "User Name" <sip:5555555555@10.0.6.30

 ;party=calling;screen=yes;privacy=off#015

 Received:

INVITE sip:6666666666@10.0.250.4:5060 SIP/2.0#015
Via: SIP/2.0/TCP 10.0.6.30:5060;branch=z9hG4bK371ba1ab73caa#015
From: "User Name" <sip:5555555555@10.0.6.30

 ;tag=319318~d732e07f-799a-4d2b-9d6a-ae2aaf54507d-19889474#015

 To: <sip:6666666666@10.0.250.4>#015

Date: Fri, 11 Apr 2014 18:18:12 GMT#015
Call-ID: a2fdcf80-348131e4-c74f-1e06000a@10.0.6.30#015
Supported: timer,resource-priority,replaces#015
Min-SE:  1800#015
User-Agent: Cisco-CUCM9.1#015
Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER,
SUBSCRIBE, NOTIFY#015
CSeq: 101 INVITE#015
Expires: 180#015
Allow-Events: presence#015
Supported: X-cisco-srtp-fallback,X-cisco-original-called#015
Cisco-Guid: 2734542720-0000065536-0000042552-0503709706#015
Session-Expires:  1800#015
P-Asserted-Identity: "User Name" <sip:5555555555@10.0.6.30>#015
Remote-Party-ID: "User Name" <sip:5555555555@10.0.6.30

 ;party=calling;screen=yes;privacy=off#015

 Contact: <sip:5555555555@10.0.6.30:5060;transport=tcp>#015

Max-Forwards: 70#015
Content-Length: 0#015
#015
//6161/A2FDCF800000/SIP/Msg/ccsipDisplayMsg:


From what I've read $template MsgFormat,"%msg%\n" should work, so I'm a
bit
confused.

If I comment out #$ActionFileDefaultTemplate
RSYSLOG_TraditionalFileFormat
the formatting is:

2014-04-11T14:25:20.296816-04:00 10.0.250.4 : a=rtpmap:0 PCMU/8000#015
2014-04-11T14:25:20.296816-04:00 10.0.250.4 : a=ptime:20#015
2014-04-11T14:25:20.296816-04:00 10.0.250.4 : a=rtpmap:101
telephone-event/8000#015
2014-04-11T14:25:20.296816-04:00 10.0.250.4 : a=fmtp:101 0-15#015

So its definitely rsyslog formatting, not the client side.

Any help is appreciated, thanks.



*Steve*
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.

 _______________________________________________

rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.

 _______________________________________________

rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.

 _______________________________________________

rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.