Hello,
According to RFC5424, the value of the TIMESTAMP field may be "-":
6.2.3. TIMESTAMP
...
A syslog application MUST use the NILVALUE as TIMESTAMP if the syslog
application is incapable of obtaining system time.
However, when I send such messages to rsyslog 8.14.0 it seems as if it
parses it as invalid field value and takes the rest of the message as
one text field.
Here's my rsyslog.conf:
module(load="imuxsock")
module(load="imklog")
module(load="imudp")
module(load="pmrfc5424")
module(load="omfile")
input(type="imudp" port="514" ruleset="myparser")
ruleset(name="myparser" parser="rsyslog.rfc5424") {
action(type="omfile" file="/var/log/mylog")
action(type="omfile" file="/var/log/rsyslogdebug"
template="RSYSLOG_DebugFormat")
}
I'm using netcat to send two UDP packets: the first with full
timestamp (which works OK) and the second with a nil ("-") timestamp.
Here's my log-sending test script:
#!/bin/sh
body='<11>1 2000-01-01T15:00:00.000Z 1.2.3.4 myhost - L - first message text'
echo "$body" | netcat -c -u 127.0.0.1 514
body='<11>1 - 1.2.3.4 myhost - L - second message text'
echo "$body" | netcat -c -u 127.0.0.1 514
Here are the resulting entries in /var/log/mylog:
2000-01-01T15:00:00.000Z 1.2.3.4 myhost first message text
2015-11-23T20:19:38.050354+00:00 localhost - 1.2.3.4 myhost - L -
second message text
Here are the resulting entries in /var/log/rsyslogdebug:
Debug line with all properties:
FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: '1.2.3.4', PRI: 11,
syslogtag 'myhost', programname: 'myhost', APP-NAME: 'myhost', PROCID:
'-', MSGID: 'L',
TIMESTAMP: 'Jan 1 15:00:00', STRUCTURED-DATA: '-',
msg: 'first message text'
escaped msg: 'first message text'
inputname: imudp rawmsg: '<11>1 2000-01-01T15:00:00.000Z 1.2.3.4
myhost - L - first message text'
$!:
$.:
$/:
Debug line with all properties:
FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: 'localhost', PRI: 11,
syslogtag '', programname: '', APP-NAME: '', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Nov 23 20:19:38', STRUCTURED-DATA: '-',
msg: '- 1.2.3.4 myhost - L - second message text'
escaped msg: '- 1.2.3.4 myhost - L - second message text'
inputname: imudp rawmsg: '<11>1 - 1.2.3.4 myhost - L - second message text'
$!:
$.:
$/:
Is my configuration wrong?
Are my test packets malformed?
Does rsyslog support nil values for timestamps in incoming messages?
Thanks,
Dov
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
