On Mon, 24 Nov 2014, Michael Orlov wrote:
Hello,
I have a client-server setup via stunnel on centos 5 and rsyslog version
7.6.2 installed from a repo.
The valid incomming message is tab delimited string with 8 elements
The problem is: sometimes my client machine send a message on multiply
lines(with a bunch of newline symbols) and the server machine create a mess
in the output file.
This is a problem, you really need to escape the newlines before they get to
rsyslog.
The tcp transport does have an octet mode that will preserve newlines, but many
other things are likely to break on these messages because a newline is the
standard way of ending a log message.
When you send the messages, rsyslog formats the message (including newlines) per
the template, but the system recieving the message and parses it thinks that
it's seeing multiple messages.
David Lang
It looks like rsyslog starting split message somehow different. And in log
i can find lines started with '<13>.*programname: ' it means that template
is not applied to message. Or there is some of messages that splited by
"\n" in the random place. This behaviour will continue by the end of the
file(every hour)
On the client machine corrupted(on the server) messages are stored
correctly. No sudden newlines and no <%PRI%>%TIMESTAMP% %syslogtag%
trouble.
How can i fix this ?
Thank you!
client configuration:
action(type="omfwd" name="Reports" Target="127.0.0.1" Port="20514"
Protocol="tcp" )
server configuration
template(name="raw" type="string" string="%msg:2:$%\n")
template(name="nn" type="string"
string="/var/log/nn/%$YEAR%%$MONTH%%$DAY%/%$HOUR%")
ruleset(name="rule_nn"){
if $msg contains ' ' then # Check for \t in message
action(type="omfile" DynaFile="nn" template="raw" )
stop
}
input(type="imtcp" port="10515" ruleset="rule_nn" )
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
