Re: [rsyslog] imuxsock does not support RFC5424 header

Sun, 08 Mar 2015 18:03:07 -0700 

On Sun, 8 Mar 2015, David Lang wrote:


On Mon, 9 Mar 2015, Thomas D. wrote:


Hi David,

you wrote::
I believe that when you write the log to the socket, you aren't expected to put the hostname in it, since it's local rsyslog uses what it knows the hostname to be. You can't tell this with your test because you put the real hostname in that 
spot.


...wait. I was talking about "syslogtag", not hostname. The hostname was
correct in my case.

Please can you try with "--tag foo", i.e. 'logger --tag foo "testtest"'?


Debug line with all properties:
FROMHOST: 'dlang-laptop', fromhost-ip: '127.0.0.1', HOSTNAME: 'dlang-laptop', PRI: 13, syslogtag 'foo:', programname: 'foo', APP-NAME: 'foo', PROCID: '-', MSGID: '-', 
TIMESTAMP: 'Mar  8 17:57:34', STRUCTURED-DATA: '-',
msg: ' testtest @[_PID=23583 _UID=0 _GID=0 _COMM=logger _CMDLINE=""]'
escaped msg: ' testtest @[_PID=23583 _UID=0 _GID=0 _COMM=logger _CMDLINE=""]'
inputname: imuxsock rawmsg: '<13>Mar 8 17:57:34 foo: testtest @[_PID=23583 _UID=0 _GID=0 _COMM=logger _CMDLINE=""]' 
$!:
$.:
$/:
if you look at the rawmsg, my version of logger doesn't put the hostname in it, yours does. Since rsyslog is not expecting the hostname there, it puts what it finds in that position in the syslogtag variable.
Also, if you look at what ends up in msg, you have foo: as part of the message, also indicating that rsyslog was not expecting to have a hostname there. 

and here it is without the annotate option (what's expected in the tests)

Debug line with all properties:
FROMHOST: 'dlang-laptop', fromhost-ip: '127.0.0.1', HOSTNAME: 'dlang-laptop', PRI: 13, 
syslogtag 'foo:', programname: 'foo', APP-NAME: 'foo', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Mar  8 18:01:05', STRUCTURED-DATA: '-',
msg: ' testtest'
escaped msg: ' testtest'
inputname: imuxsock rawmsg: '<13>Mar  8 18:01:05 foo: testtest'
$!:
$.:
$/:

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to