On Thu, 10 Sep 2015, Muhammad Asif wrote:
Hi Geeks,
We are using tcp protocol for sending logs from rsyslog to fluentd on same
system. We also test tcp to send logs to other system on tcp.
But problem is that rsyslog dont' send log complete.
On Sending server
*.* action(type="omfwd" target="192.168.6.193" port="514" protocol="tcp"
queue.filename="forwarding" queue.size="1000000 queue.maxdiskspace="5g"
queue.highwatermark="900000" queue.lowwatermark= "200000"
queue.type="LinkedList" )
On receiving server
if ($fromhost-ip == '192.168.6.192') then /var/log/dccc.log
& ~
But incomplete message is received.
Sent Message
Sep 10 11:26:41 192.168.6.197
AgentDevice=WindowsLog#011AgentLogFile=Security#011PluginVersion=7.2.2.959003#011Source=Microsoft-Windows-Security-Auditing#011Computer=WIN-C9JDK1MDI5G#011OriginatingComputer=#011User=#011Domain=#011EventID=5156#011EventIDCode=5156#011EventType=8#011EventCategory=12810#011RecordNumber=622562#011TimeGenerated=1441866149#011TimeWritten=1441866149#011Level=0#011Keywords=0#011Task=0#011Opcode=0#011Message=The
Windows Filtering Platform has permitted a connection. Application
Information: Process ID: 912 Application Name:
\device\harddiskvolume2\windows\system32\svchost.exe Network Information:
Direction: Inbound Source Address: 224.0.0.252 Source Port: 5355
Destination Address: 192.168.6.109 Destination Port: 50215 Protocol:
17 Filter Information: Filter Run-Time ID: 66094 Layer Name:
Receive/Accept Layer Run-Time ID: 44
Received Message
Sep 10 11:26:41 192.168.6.197 AgentDevice=WindowsLog#011AgentL Windows
Filtering Platform has permitted a connection. Application Information:
Process ID: 912 Application Name:
\device\harddiskvolume2\windows\system32\svchost.exe Network Information:
Direction: Inbound Source Address: 224.0.0.252 Source Port: 5355
Destination Address: 192.168.6.109 Destination Port: 50215 Protocol:
17 Filter Information: Filter Run-Time ID: 66094 Layer Name:
Receive/Accept Layer Run-Time ID: 44
The problem is that your sent mesasge is malformed. After the hostname/IP
address, you are supposed to have the programname[with optional pid]: that is
limtied by teh spec to 32 characters.
instead you have
AgentDevice=WindowsLog#011AgentLogFile=Security#011PluginVersion=7.2.2.959003#011Source=Microsoft-Windows-Security-Auditing#011Computer=WIN-C9JDK1MDI5G#011OriginatingComputer=#011User=#011Domain=#011EventID=5156#011EventIDCode=5156#011EventType=8#011EventCategory=12810#011RecordNumber=622562#011TimeGenerated=1441866149#011TimeWritten=1441866149#011Level=0#011Keywords=0#011Task=0#011Opcode=0#011Message=The
which is a LOT longer than 32 characters.
whatever it is that you have slurping up the logs from windows and sending them
to rsyslog in the first place needs to be fixed.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
