Re: [rsyslog] Missing hostname and timestamp on UDP input

Fri, 05 Dec 2014 12:17:13 -0800 

On Fri, 5 Dec 2014, Douglas K. Rand wrote:


On 12/05/14 12:00, David Lang wrote:

On Fri, 5 Dec 2014, Douglas K. Rand wrote:



I have an ImageStream router and it seems to have a fairly brain dead
syslog on it: all of the messages it generates are missing both the
hostname and the time.



rsyslog tries to do this by default, but if the heuristics don't work
then the approach that you can take is to do a manual fixup for any
traffic from that IP.


Ya, I was a bit surprised that I was seeing log entries missing those. I
worked on your suggestion


$format fixup1,"<%pri%>%timestamp% %fromhost% %hostname%%msg%"

if $fromthost-ip == '1.1.1.1' then {
  whatever you do with the messages
  stop
}


and I got that working. Then I reverted everything to check a problem I
was seeing and then it just started working again.  Either some stray
gamma ray fixed the problem or I was imagining it the first time around.
I'd swear that I had log entries from rsyslog that was missing both
timestamps and hosts, but now I can't find them.

So, I'm going to assume I was imagining it and rsyslogd has been doing
the Right Thing(tm) all the time.



keep an eye on it. Ryslog does a lot of work to try and fix up malformed 
messages like this, but there are things that can fool it. I don't think I've 
seen missing timestamps, but I know I've seen cases where the first word of the 
message was the hostname, the second was the syslog tag, and the rest was the 
message. If the hostname and syslog tag are missing, rsyslog looks at what's 
there and if it's not valid for the hostname or syslog tag fields, it 'fixes' 
it, but if it is valid, rsyslog doesn't have a way of knowing that it's wrong.


so with your example, root: isn't a valid hostname, but root would be.

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.






















					Reply via email to