IIRC a bug in this regard was recently fixed. I suggest upgrading to the current 8.2002.0 version and retrying.
HTH Rainer El dom., 8 mar. 2020 a las 12:41, Brian Candler via rsyslog (<[email protected]>) escribió: > > Hello, > > I just wanted to report this problem with rsyslog 8.32.0-1ubuntu4 from > the Ubuntu 18.04 standard repos - possibly it has been fixed since. > > I have a device (Cisco ASA) which is sending admittedly dubious format > rfc3164 messages. I have captured with tcpdump and can replicate like this: > > echo -n "<164>Mar 08 2020 10:40:30 lch-asa1 : %ASA-4-711004: Task ran > for 293 msec, Process = Dispatch Unit, PC = 82a4a8c, Call stack = > 0x082a4a8c 0x0806a65c" | nc -w1 -u localhost 514 > > (notice spaces before and after colon). I then have rsyslog forwarding > these messages (to promtail) using RFC5424: > > *.* action(type="omfwd" protocol="tcp" > target="127.0.0.1" port="5140" > Template="RSYSLOG_SyslogProtocol23Format" > TCP_Framing="octet-counted") > > When I look at the tcpdump of the forwarded stream, I see: > > <164>1 2020-03-08T10:40:30+00:00 lch-asa1 - - - %ASA-4-711004: Task ran > for 293 msec, Process = Dispatch Unit, PC = 82a4a8c, Call stack = > 0x082a4a8c 0x0806a65c > > (notice double space after lch-asa1). The receiver is rejecting these > messages and dropping the connection: > > caller=syslogtarget.go:174 msg="error parsing syslog stream" > err="expecting an app-name (from 1 to max 48 US-ASCII characters) or a > nil value [col 42]" > > I think promtail is correct to reject them, since RFC5424 says: > > HOSTNAME = NILVALUE / 1*255PRINTUSASCII > APP-NAME = NILVALUE / 1*48PRINTUSASCII > PROCID = NILVALUE / 1*128PRINTUSASCII > MSGID = NILVALUE / 1*32PRINTUSASCII > STRUCTURED-DATA = NILVALUE / 1*SD-ELEMENT > > i.e. rsyslog is leaving app-name completely empty in the forwarded > message, which is not permitted. > > I managed to make a workaround - I had to use a temporary variable as I > couldn't set a system property, nor see a way to conditionally insert a > dash in a template. > > if ($app-name == '') then set $.app='-'; else set $.app=$app-name; > > template(name="Fixed_SyslogProtocol23Format" type="string" > string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %.app% > %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n") > > *.* action(type="omfwd" protocol="tcp" > target="127.0.0.1" port="5140" > Template="Fixed_SyslogProtocol23Format" > TCP_Framing="octet-counted") > > However, it seems to me that the existing RSYSLOG_SyslogProtocol23Format > template assumes that $app-name will always be set to a non-empty > string, and therefore perhaps the rfc3164 parser should always return a > dash rather than empty app name, regardless of its input? > > Regards, > > Brian. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
