On 2015-02-10 10:41 AM, Rainer Gerhards wrote:
> 2015-02-10 17:36 GMT+01:00 James Lay <[email protected] [5]>: > >> On 2015-02-10 08:37 AM, Rainer Gerhards wrote: >> >>> 2015-02-10 16:32 GMT+01:00 James Lay <[email protected] [4]>: >>> >>>> Help....just made the switch and seeing a ton of these types of errors: >>>> >>>> rsyslogd: Framing Error in received TCP message: delimiter is not SP but has ASCII value 46. >>> >>> this sounds like a problem with the sender. Rsyslog is seing invalid protocol handling, more precisely a framing error. ASCII code 46 (the dot) is seen where either < or an integer number must be. >>> If that's an option, you could capture a tcp session and post the capture file so that I can have a look with wireshark. >>> Rainer >>> >>>> Not even sure where to start to look at this. Thank you. >>>> >>>> James >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog [1] >>>> http://www.rsyslog.com/professional-services/ [2] >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards [3] >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. >> >> Yes...these messages are from a proxy device which is just connecting via tcp to port 514...I am fairly certain that these aren't protocol compliant with things like: >> >> 192.168.1.1 - - TCP.... >> 192.168.1.1 DOMAINname .... >> 192.168.1.1 - 192.168.1.2 .... > > yup, that's not syslog but just a dump ;) > >> A lot of these messages contain funky characters. Is there a way I can tell rsyslog to just log and ignore protocol? Thank you. > > To make things work really nice, you would need this: https://github.com/rsyslog/rsyslog/issues/238 [6] (feel free to vote for its implementation!). > The work-around is to disable octet-counted framing. With the current versions, this means you must use imptcp (not imtcp, note the "p"), because imtcp has a bug so that it does not accept the config parameter. Then, you can use the rawmsg property in a custom template, which will get you the exact same message that was received. > IF, however, there are embedded LF INSIDE the messages, you are lost. But this looks like CLF, so I wouldn't expect them. > HTH > Rainer > > James > >> Thanks Rainer, So dumping this to a file, opening in vim and doing a set list shows nothing embedded...just a LONG line. In between what would have been a linefeed I see #015#012. And can you point me in the right direction for making a custom template? I'm pretty new to rsyslog...thanks a bunch Rainer. James Links: ------ [1] http://lists.adiscon.net/mailman/listinfo/rsyslog [2] http://www.rsyslog.com/professional-services/ [3] https://twitter.com/rgerhards [4] mailto:[email protected] [5] mailto:[email protected] [6] https://github.com/rsyslog/rsyslog/issues/238 _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
