Re: [rsyslog] Framing error?

Tue, 10 Feb 2015 09:56:19 -0800 

On 2015-02-10 10:51 AM, James Lay wrote:

On 2015-02-10 10:41 AM, Rainer Gerhards wrote:


2015-02-10 17:36

GMT+01:00 James Lay <[email protected] [5]>:



On 2015-02-10

08:37 AM, Rainer Gerhards wrote:



2015-02-10 16:32 GMT+01:00

James Lay <[email protected] [4]>:



Help....just made

the switch and seeing a ton of these types of errors:
rsyslogd: Framing Error in received TCP message: delimiter is not SP but 
has ASCII value 46.


this sounds like a problem with the sender.

Rsyslog is seing invalid protocol handling, more precisely a framing
error. ASCII code 46 (the dot) is seen where either < or an integer
number must be.

If that's an option, you could capture a tcp

session and post the capture file so that I can have a look with
wireshark.

Rainer


Not even sure where to start to look

at this. Thank you.


James


_______________________________________________

rsyslog mailing

list

http://lists.adiscon.net/mailman/listinfo/rsyslog [1]


http://www.rsyslog.com/professional-services/ [2]

What's up with

rsyslog? Follow https://twitter.com/rgerhards [3]

NOTE WELL: This
is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond 
our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.


Yes...these messages are from a proxy device which is just
connecting via tcp to port 514...I am fairly certain that these aren't 
protocol compliant with things like:


192.168.1.1 - - TCP....


192.168.1.1 DOMAINname ....

192.168.1.1 - 192.168.1.2 ....


yup,

that's not syslog but just a dump ;)



A lot of these messages
contain funky characters. Is there a way I can tell rsyslog to just log 
and ignore protocol? Thank you.


To make things work really nice,
you would need this: https://github.com/rsyslog/rsyslog/issues/238 [6] 
(feel free to vote for its implementation!).

The work-around is to
disable octet-counted framing. With the current versions, this means you 
must use imptcp (not imtcp, note the "p"), because imtcp has a bug so
that it does not accept the config parameter. Then, you can use the
rawmsg property in a custom template, which will get you the exact same 
message that was received.

IF, however, there are embedded LF INSIDE

the messages, you are lost. But this looks like CLF, so I wouldn't
expect them.

HTH
Rainer

James





Thanks Rainer,

So
dumping this to a file, opening in vim and doing a set list shows
nothing embedded...just a LONG line. In between what would have been a linefeed I see #015#012. And can you point me in the right direction for 
making a custom template? I'm pretty new to rsyslog...thanks a bunch
Rainer.

James



And got no love with imptcp:
10:53:13 syslog rsyslogd-2066: could not load module '/usr/lib/rsyslog/imptcp.so', dlopen: /usr/lib/rsyslog/imptcp.so: cannot open shared object file: No such file or directory [try http://www.rsyslog.com/e/2066 ]
This was installed using ppa at http://www.rsyslog.com/ubuntu-repository. 

Am I out of luck?

James


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to