2015-02-10 17:36 GMT+01:00 James Lay <[email protected]>: > On 2015-02-10 08:37 AM, Rainer Gerhards wrote: > > > 2015-02-10 16:32 GMT+01:00 James Lay <[email protected]>: > >> Help....just made the switch and seeing a ton of these types of errors: >> >> rsyslogd: Framing Error in received TCP message: delimiter is not SP but >> has ASCII value 46. >> >> this sounds like a problem with the sender. Rsyslog is seing invalid > protocol handling, more precisely a framing error. ASCII code 46 (the dot) > is seen where either < or an integer number must be. > If that's an option, you could capture a tcp session and post the capture > file so that I can have a look with wireshark. > Rainer > >> Not even sure where to start to look at this. Thank you. >> >> James >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. > > Yes...these messages are from a proxy device which is just connecting > via tcp to port 514...I am fairly certain that these aren't protocol > compliant with things like: > > 192.168.1.1 - - TCP.... > 192.168.1.1 DOMAIN\name .... > 192.168.1.1 - 192.168.1.2 .... >
yup, that's not syslog but just a dump ;) > A lot of these messages contain funky characters. Is there a way I can > tell rsyslog to just log and ignore protocol? Thank you. > To make things work really nice, you would need this: https://github.com/rsyslog/rsyslog/issues/238 (feel free to vote for its implementation!). The work-around is to disable octet-counted framing. With the current versions, this means you must use imptcp (not imtcp, note the "p"), because imtcp has a bug so that it does not accept the config parameter. Then, you can use the rawmsg property in a custom template, which will get you the exact same message that was received. IF, however, there are embedded LF INSIDE the messages, you are lost. But this looks like CLF, so I wouldn't expect them. HTH Rainer > James > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
