On Thu, 2015-02-12 at 13:20 +0100, Rainer Gerhards wrote: > 2015-02-12 12:29 GMT+01:00 James Lay <[email protected]>: > > On Thu, 2015-02-12 at 10:17 +0100, Rainer Gerhards wrote: > > > 2015-02-10 18:55 GMT+01:00 James Lay > > <[email protected]>: > > > > On 2015-02-10 10:51 AM, James Lay wrote: > > > > On 2015-02-10 10:41 AM, Rainer Gerhards > > wrote: > > > > > > 2015-02-10 17:36 > > > > GMT+01:00 James Lay > > <[email protected] [5]>: > > > > > > > > On 2015-02-10 > > > > 08:37 AM, Rainer Gerhards wrote: > > > > > > > > 2015-02-10 16:32 GMT > > +01:00 > > > > James Lay <[email protected] [4]>: > > > > > > > > Help....just > > made > > > > the switch and seeing a ton of these types > > of errors: > > > > > > > > > > rsyslogd: Framing Error in received TCP > > message: delimiter is not SP but > > has ASCII value 46. > > > > > > this sounds like a > > problem with the > > sender. > > > > Rsyslog is seing invalid protocol handling, > > more precisely a framing > > error. ASCII code 46 (the dot) is seen where > > either < or an integer > > number must be. > > > > If that's an option, > > you could capture a > > tcp > > > > session and post the capture file so that I > > can have a look with > > wireshark. > > > > Rainer > > > > > > Not even > > sure where > > to start to > > look > > > > at this. Thank you. > > > > > > James > > > > > > _______________________________________________ > > > > rsyslog > > mailing > > > > list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog [1] > > > > > > http://www.rsyslog.com/professional-services/ [2] > > > > What's up > > with > > > > rsyslog? Follow > > https://twitter.com/rgerhards [3] > > > > NOTE WELL: > > This > > > > is a PUBLIC mailing list, posts are ARCHIVED > > by a myriad of sites beyond > > our control. PLEASE UNSUBSCRIBE and DO NOT > > POST if you DON'T LIKE > > THAT. > > > > > > Yes...these messages are > > from a proxy device which is > > just > > > > connecting via tcp to port 514...I am fairly > > certain that these aren't > > protocol compliant with things like: > > > > > > 192.168.1.1 - - TCP.... > > > > > > 192.168.1.1 DOMAINname .... > > > > 192.168.1.1 - > > 192.168.1.2 .... > > > > > > yup, > > > > that's not syslog but just a dump ;) > > > > > > > > A lot of these messages > > > > contain funky characters. Is there a way I > > can tell rsyslog to just log > > and ignore protocol? Thank you. > > > > > > To make things work really nice, > > > > you would need this: > > https://github.com/rsyslog/rsyslog/issues/238 [6] > > (feel free to vote for its implementation!). > > > > The work-around is to > > > > disable octet-counted framing. With the > > current versions, this means you > > must use imptcp (not imtcp, note the "p"), > > because imtcp has a bug so > > that it does not accept the config > > parameter. Then, you can use the > > rawmsg property in a custom template, which > > will get you the exact same > > message that was received. > > > > IF, however, there are embedded LF > > INSIDE > > > > the messages, you are lost. But this looks > > like CLF, so I wouldn't > > expect them. > > > > HTH > > Rainer > > > > James > > > > > > > > > > > > Thanks Rainer, > > > > So > > dumping this to a file, opening in vim and > > doing a set list shows > > nothing embedded...just a LONG line. In > > between what would have been a > > linefeed I see #015#012. And can you point > > me in the right direction for > > making a custom template? I'm pretty new to > > rsyslog...thanks a bunch > > Rainer. > > > > James > > > > > > > > And got no love with imptcp: > > > > 10:53:13 syslog rsyslogd-2066: could not load module > > '/usr/lib/rsyslog/imptcp.so', > > dlopen: /usr/lib/rsyslog/imptcp.so: cannot open > > shared object file: No such file or directory [try > > http://www.rsyslog.com/e/2066 ] > > > > This was installed using ppa at > > http://www.rsyslog.com/ubuntu-repository. > > > > > > > > You need to install rsyslog-imptcp. > > > > > > HTH > > Rainer > > > > > Thanks Rainer. Interestingly enough after adding an option in > the proxy server to add a timestamp, this is now working as it > should. Thanks again. > > > I am curios: can you let me know how the format looks now? > > > Rainer
You bet....here's what is working now: Feb 12 00:03:03 x.x.x.x "[12/Feb/2015: 00:03:04 -0700]" x.x.x.x - - TCP_DENIED DENIED 407 GET http://www.google-analytics.com/analytics.js - - "Web Ads/Analytics"#015 What's new is the additional timestamp in quotes...that and the #015....I didn't see the #015 using syslog-ng, so I think it's how rsyslog interprets what's being sent, but I'm not good enough with rsyslog to know how to fix it yet. Thanks Rainer. James _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

