> > >>>> The first rsyslog server uses the config below, so template is: > > >>>> $template > > >>>> rel,"%fromhost% %fromhost-ip% %rawmsg%\n" > > >>>> The recieving rsyslog server uses this template and logs to file: > > >>>> $template raw,"%rawmsg%" > > >>> > > >>> > > >>> > > >>> Ok, if the sending server is using the template rel to send the message > > >>> to > > >>> the second server you have a problem (this is what I thought was > > >>> happening > > >>> with the omspoof config above) > > >>> > > >>> a valid syslog message is > > >>> <###>timestamp hostname syslogtag[pid]: message > > >>> > > >>> you are sending > > >>> > > >>> hostname ip <###>timestamp hostname syslogtag[pid]: message > > >>> > > >>> the receiving message is going to try to 'do the right thing' and > > >>> correct > > >>> for the malformed message, but it's unlikely to be right all the time. > > >>> > > >>> the fact that you are getting framing errors indicates that the sending > > >>> server is doing something very wrong > > >>> > > >> > > >> I guess there is a numeric hostname. That would trigger octet-counted > > >> framing, and that in turn could trigger the error message. > > > > > > > > > or just no DNS for the hostname, so that field contains an IP address > > > instead. > > > > indeed, that's the most probably cause. > > > > Rainer > > > Hi together, > Thanks for all your support. > Never the less I did not get that at all: > What I want to do is to set a prefix consisting of "original" Source and > hostname before the raw message and keep the raw message as it is without any > modification. > From my understanding, the raw-message is keept and concatinated to the new > syslog message sent. > I also think, that octet-counted framing should never apply to the > message-contents, because we never know if a syslog message might not contain > one ore more exotic strings. > > > Actually in the most cases it seems to work as expected: > 2015-04-29T10:58:01.108756+02:00 localhost localhost ::1 Real-syslog-Message > > So, what is my mistake and what possibilities do I have to archive my aim > without conflicts?
Hi, I believe to see a litle more clear now :) >From my understanding there are 2 issues: 1. Framing issue: I was able to solve it on my own by disabling SupportOctetCountedFraming. 2. Dying of rsyslog: After upgrading all rsyslog versions to latest rhel 6.6 i still see processes dying: One system: rsyslogd[1159] general protection ip:7f195ed4153c sp:7fffe4806f48 error:0 in libc-2.12.so (deleted)[7f195ecc6000+18a000 Other system: rs:main Q:Reg[1469]: segfault at 0 ip 00007fcd5e7a273a sp 00007fcd5a6bb418 error 4 in libc-2.12.so (deleted)[7fcd5e723000+18a000] Currently I assume that there is a relation to the kill -HUP for Lookup-File reloading. I have now 6 GB Package-Capturing and will try to isolate the issue Chris _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
