Hi David, Thanks for being so prompt helper and guider. We can not enforce windows server 2012 to send logs in specific format. But we solve the issue by using the following template.
$template msgonly,"%rawmsg%\n" What else solution can be? Thanks On Thu, Sep 10, 2015 at 12:08 PM, David Lang <[email protected]> wrote: > On Thu, 10 Sep 2015, Muhammad Asif wrote: > > Hi Geeks, >> >> We are using tcp protocol for sending logs from rsyslog to fluentd on same >> system. We also test tcp to send logs to other system on tcp. >> But problem is that rsyslog dont' send log complete. >> >> On Sending server >> >> *.* action(type="omfwd" target="192.168.6.193" port="514" >> protocol="tcp" >> queue.filename="forwarding" queue.size="1000000 queue.maxdiskspace="5g" >> queue.highwatermark="900000" queue.lowwatermark= "200000" >> queue.type="LinkedList" ) >> >> >> On receiving server >> >> if ($fromhost-ip == '192.168.6.192') then /var/log/dccc.log >> & ~ >> >> But incomplete message is received. >> >> Sent Message >> >> Sep 10 11:26:41 192.168.6.197 >> >> AgentDevice=WindowsLog#011AgentLogFile=Security#011PluginVersion=7.2.2.959003#011Source=Microsoft-Windows-Security-Auditing#011Computer=WIN-C9JDK1MDI5G#011OriginatingComputer=#011User=#011Domain=#011EventID=5156#011EventIDCode=5156#011EventType=8#011EventCategory=12810#011RecordNumber=622562#011TimeGenerated=1441866149#011TimeWritten=1441866149#011Level=0#011Keywords=0#011Task=0#011Opcode=0#011Message=The >> Windows Filtering Platform has permitted a connection. Application >> Information: Process ID: 912 Application Name: >> \device\harddiskvolume2\windows\system32\svchost.exe Network Information: >> Direction: Inbound Source Address: 224.0.0.252 Source Port: 5355 >> Destination Address: 192.168.6.109 Destination Port: 50215 Protocol: >> 17 Filter Information: Filter Run-Time ID: 66094 Layer Name: >> Receive/Accept Layer Run-Time ID: 44 >> >> >> >> Received Message >> >> Sep 10 11:26:41 192.168.6.197 AgentDevice=WindowsLog#011AgentL Windows >> Filtering Platform has permitted a connection. Application Information: >> Process ID: 912 Application Name: >> \device\harddiskvolume2\windows\system32\svchost.exe Network Information: >> Direction: Inbound Source Address: 224.0.0.252 Source Port: 5355 >> Destination Address: 192.168.6.109 Destination Port: 50215 Protocol: >> 17 Filter Information: Filter Run-Time ID: 66094 Layer Name: >> Receive/Accept Layer Run-Time ID: 44 >> > > The problem is that your sent mesasge is malformed. After the hostname/IP > address, you are supposed to have the programname[with optional pid]: that > is limtied by teh spec to 32 characters. > > instead you have > > > AgentDevice=WindowsLog#011AgentLogFile=Security#011PluginVersion=7.2.2.959003#011Source=Microsoft-Windows-Security-Auditing#011Computer=WIN-C9JDK1MDI5G#011OriginatingComputer=#011User=#011Domain=#011EventID=5156#011EventIDCode=5156#011EventType=8#011EventCategory=12810#011RecordNumber=622562#011TimeGenerated=1441866149#011TimeWritten=1441866149#011Level=0#011Keywords=0#011Task=0#011Opcode=0#011Message=The > > which is a LOT longer than 32 characters. > > whatever it is that you have slurping up the logs from windows and sending > them to rsyslog in the first place needs to be fixed. > > David Lang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
