2015-02-10 18:55 GMT+01:00 James Lay <[email protected]>: > On 2015-02-10 10:51 AM, James Lay wrote: > >> On 2015-02-10 10:41 AM, Rainer Gerhards wrote: >> >> 2015-02-10 17:36 >>> >> GMT+01:00 James Lay <[email protected] [5]>: >> >>> >>> On 2015-02-10 >>>> >>> 08:37 AM, Rainer Gerhards wrote: >> >>> >>>> 2015-02-10 16:32 GMT+01:00 >>>>> >>>> James Lay <[email protected] [4]>: >> >>> >>>>> Help....just made >>>>>> >>>>> the switch and seeing a ton of these types of errors: >> >>> >>>>>> >>>>>> rsyslogd: Framing Error in received TCP message: delimiter is not SP >> but >> has ASCII value 46. >> >>> >>>>> this sounds like a problem with the sender. >>>>> >>>> Rsyslog is seing invalid protocol handling, more precisely a framing >> error. ASCII code 46 (the dot) is seen where either < or an integer >> number must be. >> >>> If that's an option, you could capture a tcp >>>>> >>>> session and post the capture file so that I can have a look with >> wireshark. >> >>> Rainer >>>>> >>>>> Not even sure where to start to look >>>>>> >>>>> at this. Thank you. >> >>> >>>>>> James >>>>>> >>>>>> _______________________________________________ >> >>> rsyslog mailing >>>>>> >>>>> list >> >>> http://lists.adiscon.net/mailman/listinfo/rsyslog [1] >>>>>> >>>>>> http://www.rsyslog.com/professional-services/ [2] >> >>> What's up with >>>>>> >>>>> rsyslog? Follow https://twitter.com/rgerhards [3] >> >>> NOTE WELL: This >>>>>> >>>>> is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites >> beyond >> our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE >> THAT. >> >>> >>>> Yes...these messages are from a proxy device which is just >>>> >>> connecting via tcp to port 514...I am fairly certain that these aren't >> protocol compliant with things like: >> >>> >>>> 192.168.1.1 - - TCP.... >>>> >>>> 192.168.1.1 DOMAINname .... >> >>> 192.168.1.1 - 192.168.1.2 .... >>>> >>> >>> yup, >>> >> that's not syslog but just a dump ;) >> >>> >>> A lot of these messages >>>> >>> contain funky characters. Is there a way I can tell rsyslog to just log >> and ignore protocol? Thank you. >> >>> >>> To make things work really nice, >>> >> you would need this: https://github.com/rsyslog/rsyslog/issues/238 [6] >> (feel free to vote for its implementation!). >> >>> The work-around is to >>> >> disable octet-counted framing. With the current versions, this means you >> must use imptcp (not imtcp, note the "p"), because imtcp has a bug so >> that it does not accept the config parameter. Then, you can use the >> rawmsg property in a custom template, which will get you the exact same >> message that was received. >> >>> IF, however, there are embedded LF INSIDE >>> >> the messages, you are lost. But this looks like CLF, so I wouldn't >> expect them. >> >>> HTH >>> Rainer >>> >>> James >>> >>> >>>> >> Thanks Rainer, >> >> So >> dumping this to a file, opening in vim and doing a set list shows >> nothing embedded...just a LONG line. In between what would have been a >> linefeed I see #015#012. And can you point me in the right direction for >> making a custom template? I'm pretty new to rsyslog...thanks a bunch >> Rainer. >> >> James >> >> > And got no love with imptcp: > > 10:53:13 syslog rsyslogd-2066: could not load module > '/usr/lib/rsyslog/imptcp.so', dlopen: /usr/lib/rsyslog/imptcp.so: cannot > open shared object file: No such file or directory [try > http://www.rsyslog.com/e/2066 ] > > This was installed using ppa at http://www.rsyslog.com/ubuntu-repository. >
You need to install *rsyslog-imptcp.* HTH Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
