On Thu, 2015-02-12 at 10:17 +0100, Rainer Gerhards wrote: > 2015-02-10 18:55 GMT+01:00 James Lay <[email protected]>: > > On 2015-02-10 10:51 AM, James Lay wrote: > > On 2015-02-10 10:41 AM, Rainer Gerhards wrote: > > > 2015-02-10 17:36 > > GMT+01:00 James Lay <[email protected] [5]>: > > > > On 2015-02-10 > > 08:37 AM, Rainer Gerhards wrote: > > > > 2015-02-10 16:32 GMT+01:00 > > James Lay <[email protected] [4]>: > > > > Help....just made > > the switch and seeing a ton of these types of errors: > > > > > rsyslogd: Framing Error in received TCP message: > delimiter is not SP but > has ASCII value 46. > > > this sounds like a problem > with the sender. > > Rsyslog is seing invalid protocol handling, more > precisely a framing > error. ASCII code 46 (the dot) is seen where either < > or an integer > number must be. > > If that's an option, you could > capture a tcp > > session and post the capture file so that I can have a > look with > wireshark. > > Rainer > > > Not even sure where to > start to look > > at this. Thank you. > > > James > > > _______________________________________________ > > rsyslog mailing > > list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog [1] > > > http://www.rsyslog.com/professional-services/ [2] > > What's up with > > rsyslog? Follow https://twitter.com/rgerhards [3] > > NOTE WELL: This > > is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE > THAT. > > > Yes...these messages are from a proxy > device which is just > > connecting via tcp to port 514...I am fairly certain > that these aren't > protocol compliant with things like: > > > 192.168.1.1 - - TCP.... > > > 192.168.1.1 DOMAINname .... > > 192.168.1.1 - 192.168.1.2 .... > > > yup, > > that's not syslog but just a dump ;) > > > > A lot of these messages > > contain funky characters. Is there a way I can tell > rsyslog to just log > and ignore protocol? Thank you. > > > To make things work really nice, > > you would need this: > https://github.com/rsyslog/rsyslog/issues/238 [6] > (feel free to vote for its implementation!). > > The work-around is to > > disable octet-counted framing. With the current > versions, this means you > must use imptcp (not imtcp, note the "p"), because > imtcp has a bug so > that it does not accept the config parameter. Then, > you can use the > rawmsg property in a custom template, which will get > you the exact same > message that was received. > > IF, however, there are embedded LF INSIDE > > the messages, you are lost. But this looks like CLF, > so I wouldn't > expect them. > > HTH > Rainer > > James > > > > > > Thanks Rainer, > > So > dumping this to a file, opening in vim and doing a set > list shows > nothing embedded...just a LONG line. In between what > would have been a > linefeed I see #015#012. And can you point me in the > right direction for > making a custom template? I'm pretty new to > rsyslog...thanks a bunch > Rainer. > > James > > > > And got no love with imptcp: > > 10:53:13 syslog rsyslogd-2066: could not load module > '/usr/lib/rsyslog/imptcp.so', > dlopen: /usr/lib/rsyslog/imptcp.so: cannot open shared object > file: No such file or directory [try > http://www.rsyslog.com/e/2066 ] > > This was installed using ppa at > http://www.rsyslog.com/ubuntu-repository. > > > > You need to install rsyslog-imptcp. > > > HTH > Rainer
Thanks Rainer. Interestingly enough after adding an option in the proxy server to add a timestamp, this is now working as it should. Thanks again. James _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
