On 8/8/17 2:30 AM, Rainer Gerhards wrote:
2017-08-08 6:36 GMT+02:00 deoren

Does the 'RSYSLOG_SyslogProtocol23Format' format intentionally drop colons
from the 'syslogtag' property?

Well, this format is RFC5424, and RFC5424 does not have syslogtag as
you know it. See RFC5424 Sect A.1 for the relationship. This is the
relevant quote for your question:

-----------------------------

   The MSG part of the message is described as TAG and CONTENT in RFC
    3164.  In this document, MSG is what was called CONTENT in RFC 3164.
    The TAG is now part of the header, but not as a single field.  The
    TAG has been split into APP-NAME, PROCID, and MSGID.  This does not
    totally resemble the usage of TAG, but provides the same
    functionality for most of the cases.

-----------------------------

I have not actually checked the code, but I think we drop the colon as
part of this transformation process.


On the original system I use the RSYSLOG_DebugFormat template and I see that
'syslogtag' contains a value like this (note the colon):

'postfix/qmgr[1144]:'

but when forwarded, the RSYSLOG_DebugFormat template shows the syslogtag as
containing (note the lack of a colon):

'postfix/qmgr[1144]'

Check what APP-NAME, PROCID and MSGID contain, which are derived from the tag.

RFC5424 tells you where these parts are to be placed in the header.


It appears that this lack of a colon is confusing pflogsumm when the daily
cron job calls this script to generate a daily report of the mail activity
recorded on our central rsyslog instance.

that would indicated that pflogsumm does not properly handle RFC5424 message.

HTH
Rainer

Thank you for your feedback, I appreciate you taking the time to respond.

When I enable debug logging I see that the colon is nowhere to be seen in 'programname' or 'APP-NAME' when in any of the forwarding formats (which I understand to be the norm), but is present in the syslogtag property for Traditional and Forward formats, not present for the Protocol23 forwarding format.


# RSYSLOG_TraditionalForwardFormat:
syslogtag 'postfix/qmgr[29132]:', programname: 'postfix/qmgr', APP-NAME: 'postfix/qmgr', PROCID: '29132', MSGID: '-',


# RSYSLOG_ForwardFormat:
syslogtag 'postfix/qmgr[29132]:', programname: 'postfix/qmgr', APP-NAME: 'postfix/qmgr', PROCID: '29132', MSGID: '-',


# RSYSLOG_SyslogProtocol23Format:
syslogtag 'postfix/qmgr[29132]', programname: 'postfix/qmgr', APP-NAME: 'postfix/qmgr', PROCID: '29132', MSGID: '-',

When rsyslog saves a stream of Protocol23 formatted messages to disk, I assumed that the RSYSLOG_FileFormat template would source the syslogtag property and save that entire value to disk as-is. Does something else happen instead?

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to