2015-02-12 12:29 GMT+01:00 James Lay <[email protected]>: > On Thu, 2015-02-12 at 10:17 +0100, Rainer Gerhards wrote: > > 2015-02-10 18:55 GMT+01:00 James Lay <[email protected]>: > > On 2015-02-10 10:51 AM, James Lay wrote: > > On 2015-02-10 10:41 AM, Rainer Gerhards wrote: > > 2015-02-10 17:36 > > GMT+01:00 James Lay <[email protected] [5]>: > > > On 2015-02-10 > > 08:37 AM, Rainer Gerhards wrote: > > > 2015-02-10 16:32 GMT+01:00 > > James Lay <[email protected] [4]>: > > > Help....just made > > the switch and seeing a ton of these types of errors: > > > > rsyslogd: Framing Error in received TCP message: delimiter is not SP but > has ASCII value 46. > > > this sounds like a problem with the sender. > > Rsyslog is seing invalid protocol handling, more precisely a framing > error. ASCII code 46 (the dot) is seen where either < or an integer > number must be. > > If that's an option, you could capture a tcp > > session and post the capture file so that I can have a look with > wireshark. > > Rainer > > Not even sure where to start to look > > at this. Thank you. > > > James > > _______________________________________________ > > rsyslog mailing > > list > > http://lists.adiscon.net/ > <http://lists.adiscon.net/mailman/listinfo/rsyslog> > mailman/listinfo/rsyslog > <http://lists.adiscon.net/mailman/listinfo/rsyslog> [1] > > http://www.rsyslog.com/ <http://www.rsyslog.com/professional-services/> > professional-services/ <http://www.rsyslog.com/professional-services/> [2] > > What's up with > > rsyslog? Follow https://twitter.com/rgerhards [3] > > NOTE WELL: This > > is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE > THAT. > > > Yes...these messages are from a proxy device which is just > > connecting via tcp to port 514...I am fairly certain that these aren't > protocol compliant with things like: > > > 192.168.1.1 - - TCP.... > > 192.168.1.1 DOMAINname .... > > 192.168.1.1 - 192.168.1.2 .... > > > yup, > > that's not syslog but just a dump ;) > > > A lot of these messages > > contain funky characters. Is there a way I can tell rsyslog to just log > and ignore protocol? Thank you. > > > To make things work really nice, > > you would need this: https://github.com/rsyslog/ > <https://github.com/rsyslog/rsyslog/issues/238>rsyslog/issues/238 > <https://github.com/rsyslog/rsyslog/issues/238> [6] > (feel free to vote for its implementation!). > > The work-around is to > > disable octet-counted framing. With the current versions, this means you > must use imptcp (not imtcp, note the "p"), because imtcp has a bug so > that it does not accept the config parameter. Then, you can use the > rawmsg property in a custom template, which will get you the exact same > message that was received. > > IF, however, there are embedded LF INSIDE > > the messages, you are lost. But this looks like CLF, so I wouldn't > expect them. > > HTH > Rainer > > James > > > > Thanks Rainer, > > So > dumping this to a file, opening in vim and doing a set list shows > nothing embedded...just a LONG line. In between what would have been a > linefeed I see #015#012. And can you point me in the right direction for > making a custom template? I'm pretty new to rsyslog...thanks a bunch > Rainer. > > James > > > And got no love with imptcp: > > 10:53:13 syslog rsyslogd-2066: could not load module > '/usr/lib/rsyslog/imptcp.so', dlopen: /usr/lib/rsyslog/imptcp.so: cannot > open shared object file: No such file or directory [try > http://www.rsyslog.com/e/2066 ] > > This was installed using ppa at http://www.rsyslog.com/ubuntu- > <http://www.rsyslog.com/ubuntu-repository>repository > <http://www.rsyslog.com/ubuntu-repository>. > > > > You need to install *rsyslog-imptcp.* > > > > HTH > > Rainer > > > Thanks Rainer. Interestingly enough after adding an option in the proxy > server to add a timestamp, this is now working as it should. Thanks again. >
I am curios: can you let me know how the format looks now? Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
