Re: [rsyslog] Altering forwarded logfile names

[David Lang via rsyslog]

ahh, I missed that. A bit longer explination:

before the date, the message should start out with '<number>' or '<number>1' 
depending on which RFC it's following (from the format of the date, this should 
have the 1 as required by RFC5424) without that it's triggering the non-standard 
extension that rsyslog supports that allows you to send embedded newlines in the 
message.

with it starting with 2021 (which would be detected to be the message length), 
that would explain why the newlines are being ignored.

disabling this feature as rainer suggests may fix it.

still a problem with the sender violating the RFC, just combined with a 
extension of the syslog protocol that rsyslog support to make a set of odd 
symptoms.

David Lang



On Fri, 26 Mar 2021, Rainer Gerhards wrote:

Date: Fri, 26 Mar 2021 08:55:02 +0100
From: Rainer Gerhards <rgerha...@hq.adiscon.com>
To: Scott Slattery <scott.slatt...@motorolasolutions.com>
Cc: David Lang <da...@lang.hm>, rsyslog-users <rsyslog@lists.adiscon.com>,
    mariusz.k...@safecomp.com
Subject: Re: [rsyslog] Altering forwarded logfile names

I think I guess what is going on. Probably a message starts, without pri,
with a number. If so, that triggers octet-counted framing, because that's
what it really indicates. So the number becomes the message length.

Try param

supportOctedtCountedFraming="off"

Doc:

https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html

Rainer

El jue, 25 mar 2021 a las 23:37, Scott Slattery (<
scott.slatt...@motorolasolutions.com>) escribió:

Upon further review, I'm seeing packet lengths from 4434 down to 111. It
appears once the packet length exceeds 2919 the trailing 0x0a is missing
from any remaining packets larger than 2919.

If I sort by packet size, it jumps from 2919 to 2974 then all further line
feed character is missing.

*Scott Slattery*

*Sr. Systems & Cloud Architect*

*Cloud, Compute, Information & Architecture Team*

motorolasolutions.com

*O: 602.529.8226*

*E*: scott.slatt...@motorolasolutions.com




On Thu, Mar 25, 2021 at 3:24 PM Scott Slattery <
scott.slatt...@motorolasolutions.com> wrote:


*Rsyslogd version:*
rsyslogd 8.24.0-52.amzn2, compiled with:
PLATFORM: x86_64-koji-linux-gnu
PLATFORM (lsb_release -d):
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
Number of Bits in RainerScript integers: 64

Here is my config:
$MaxMessageSize 64k
$EscapeControlCharactersOnReceive on

module(load="imuxsock")
module(load="imjournal" StateFile="imjournal.state")
module(load="imklog")
module(load="immark")
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat"
DirCreateMode="0705" FileCreateMode="0704")
module(load="impstats" interval="600" log.syslog="off" severity="7"
log.file="/var/log/impstats.log")

$DynaFileCacheSize 100
global(workDirectory="/var/lib/rsyslog" localHostname="cloudlogmaster01")

$MainMsgQueueSize 200000
$MainMsgQueueHighWaterMark 120000
$MainMsgQueueDiscardMark 160000
$MainMsgQueueWorkerThreads 100
$RulesetCreateMainQueue on

$imjournalRatelimitInterval 0
$imjournalRatelimitBurst 0
#### RULES ####

template(name="debug" type="string" string="Debug line with all
properties:\nFROMHOST: '%FROMHOST%'\n, FROMHOST-IP: '%fromhost-ip%'\n,
HOSTNAME: '%HOSTNAME%'\n, PRI: %PRI%,\nSYSLOGTAG '%syslogtag%'\n,
PROGRAMNAME: '%programname%'\n, APP-NAME: '%app-name%'\n, PROCID:
'%PROCID%'\n, MSGID: '%MSGID%'\n, TIMESTAMP: '%TIMESTAMP%'\n,
STRUCTURED-DATA: '%STRUCTURED-DATA%'\n, msg: '%msg%'\nRAWMSG:
'%rawmsg%',\n\nRAWMSG-AFTER-PRI: '%rawmsg-after-pri%'\nJSONMESG:
'%jsonmesg%'\n")

template(name="DynRemoteLogFile" type="string"
string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%$year%-%$month%-%$day%-%app-name%.log")

template(name="MalformedMsgFormatter" type="string"
string="%timegenerated% %fromhost% %rawmsg:::drop-last-lf%\n")
template(name="DynRemoteMalformed" type="string"
string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%$year%-%$month%-%$day%-oag-audit.log")

template(name="DynRemoteLogFile" type="list") {
constant(value="/splunklog/remote/")
property(name="FROMHOST")
constant(value="-")
property(name="FROMHOST-IP")
constant(value="/")
property(name="$YEAR")
constant(value="-")
property(name="$MONTH")
constant(value="-")
property(name="$DAY")
constant(value="-")
property(name="syslogtag" position.from="1" position.to="32")
constant(value="-")
property(name="app-name" controlcharacters="drop")
constant(value=".log")
}

ruleset(name="RemoteServer"){
if ($fromhost-ip startswith '10.41.102') then {
action(type="omfile" dynafile="DynRemoteMalformed"
template="MalformedMsgFormatter")
stop
}

 action(type="omfile" dynaFile="DynRemoteLogFile")
}


# module imtcp
module(load="imtcp" KeepAlive="on")
input(type="imtcp" port="10514" ruleset="RemoteServer")


#kern.*                                         /dev/console
*.info;mail.none;authpriv.none;cron.none        /var/log/messages
authpriv.*                                      /var/log/secure
mail.*                                          /var/log/maillog
cron.*                                          /var/log/cron
*.emerg                                         :omusrmsg:*
uucp,news.crit                                  /var/log/spooler
local7.*                                        /var/log/boot.log

*Scott Slattery*

*Sr. Systems & Cloud Architect*

*Cloud, Compute, Information & Architecture Team*

motorolasolutions.com

*O: 602.529.8226*

*E*: scott.slatt...@motorolasolutions.com




On Thu, Mar 25, 2021 at 3:20 PM David Lang <da...@lang.hm> wrote:

what version of rsyslog are you running. can you post your full config?

if you are receiving via TCP and it's not splitting the logs based on
newlines,
something very odd is happening.

David Lang

  On Thu, 25 Mar 2021, Scott Slattery wrote:

Date: Thu, 25 Mar 2021 15:07:22 -0700
From: Scott Slattery <scott.slatt...@motorolasolutions.com>
To: David Lang <da...@lang.hm>
Cc: Rainer Gerhards <rgerha...@hq.adiscon.com>,
    rsyslog-users <rsyslog@lists.adiscon.com>,
mariusz.k...@safecomp.com
Subject: Re: [rsyslog] Altering forwarded logfile names

So I'm looking at the pcap and on the first log record the header
information looks fine and the record terminated by 0x0A line feed.

When I look at the record containing this record written to the rsyslog
file, the record length is 65586 (64k) long which is what I think you
were
referring to earlier. Why would rsyslog write such a long record? I
initially thought my data may be getting truncated so I updated
'$MaxMessageSize 64k'. Any suggestion how I fix this behavior.

I can confirm that each log record in the pcap is terminated by 0x0A
and
looks in tact so must be something I need to do on rsyslog to fix this.

*Scott Slattery*

*Sr. Systems & Cloud Architect*

*Cloud, Compute, Information & Architecture Team*

motorolasolutions.com

*O: 602.529.8226*

*E*: scott.slatt...@motorolasolutions.com




On Thu, Mar 25, 2021 at 1:15 PM David Lang <da...@lang.hm> wrote:

you may want to capture with -X so that it decodes it into hex and
you can
see
newlines vs linefeeds

David Lang

On Thu, 25 Mar 2021, Scott Slattery wrote:

Date: Thu, 25 Mar 2021 12:47:43 -0700
From: Scott Slattery <scott.slatt...@motorolasolutions.com>
To: David Lang <da...@lang.hm>
Cc: Rainer Gerhards <rgerha...@hq.adiscon.com>,
    rsyslog-users <rsyslog@lists.adiscon.com>,
mariusz.k...@safecomp.com
Subject: Re: [rsyslog] Altering forwarded logfile names

Thanks David, I just grabbed my first capture and am looking at it.
I'm
using TCP vs UDP but your comment makes sense. I'll certainly share
with
you my observations once I have some data to refer to. This has been
a
learning experience. It's also the first time I've ever seen such an
issue
with rsyslog so it's a bit of a puzzle.

*Scott Slattery*

*Sr. Systems & Cloud Architect*

*Cloud, Compute, Information & Architecture Team*

motorolasolutions.com

*O: 602.529.8226*

*E*: scott.slatt...@motorolasolutions.com




On Thu, Mar 25, 2021 at 12:32 PM David Lang <da...@lang.hm> wrote:

the rawmsg field in the debugformat output shows exactly what
rsyslog is
seeing.

the reason I asked you to check multiple entries is that if rsyslog
does
not see
the separator (due to either multiple messages in one UDP packet, or
missing
newlines in a TCP stream) it will combine what are intended as
multiple
messages
together into one message as far as rsyslog is concerned, and only
break
it into
multiple messages when it hits the configured maxmessagesize size.
That
breaks
things at arbitrary points in the message, so as you look at
multiple
messages,
they will not all start the same way.

a tcpdump -s0 -A -n (with the appropriate port/ip filter) will also
show
exactly
what's happening over the wire.

David Lang

On Thu, 25 Mar 2021, Scott Slattery wrote:

Date: Thu, 25 Mar 2021 12:23:03 -0700
From: Scott Slattery <scott.slatt...@motorolasolutions.com>
To: Rainer Gerhards <rgerha...@hq.adiscon.com>
Cc: rsyslog-users <rsyslog@lists.adiscon.com>, David Lang <
da...@lang.hm
,
    mariusz.k...@safecomp.com
Subject: Re: [rsyslog] Altering forwarded logfile names

Hey Guys, before I consume more of your time, I'm capturing the
packets
from the source device to determine if any of the payload is lost
on
its
way to the rsyslog collector. After I analyze further, I'll share
my
observations. I'm hoping nothing is getting dropped over the wire.
Thanks
for your patience and help so far. I expect to have additional
details
shortly.

*Scott Slattery*

*Sr. Systems & Cloud Architect*

*Cloud, Compute, Information & Architecture Team*

motorolasolutions.com

*O: 602.529.8226*

*E*: scott.slatt...@motorolasolutions.com




On Thu, Mar 25, 2021 at 12:51 AM Rainer Gerhards <
rgerha...@hq.adiscon.com>
wrote:

Sorry if I didn't catch it, but did you  post the configuration?
If
not, it would probably be useful.

Looking at the message properties, this looks like the message was
received via UDP but had a LF inside it which was intended as a
frame
separator. If so, that is another bug in the vendor's
implementation.
Framing is used for TCP, but not UDP. For UDP it is strictly one
message per package.

HTH,
Rainer

El mié, 24 mar 2021 a las 22:23, Scott Slattery via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:

From what I can discern since there are lots of transactions,
there
seem
to
be multiple payload formats. For all that I have so far
analyzed, the
date
truncation issue is the same regardless of the payload received.
Like
you,
I've never used mmnormalize but I will look at it as an option.
I've
reached out to the product support team to better understand if
there
is
a
appliance-side misconfiguration and something that can be
corrected
there
or if I need to make adjustments on the rsyslog side to clean up
the
records.

What I meant is that there are multiple message formats (payload
data)
but
there seems to be a consistent truncation of the date field just
as
you
saw
in the app-name tag field.

I appreciate your ongoing feedback and help. This issue is new
to me
and
will need a creative solution if the vendor has no answers.

Many thanks,


*Scott Slattery*

*Sr. Systems & Cloud Architect*

*Cloud, Compute, Information & Architecture Team*

motorolasolutions.com

*O: 602.529.8226*

*E*: scott.slatt...@motorolasolutions.com




On Wed, Mar 24, 2021 at 2:14 PM David Lang <da...@lang.hm>
wrote:

when you say 'each is incorrect but the same format'

does that mean that every log has the year missing? or that
every
log
is
combining the logs together?

I'll  note that it's possible to define a custom parser using
the
mmnormalize
library and add it to the parsing stack. I helped define the
need
for
such
a
capability, but haven't used it yet.

David Lang

  On Wed, 24 Mar 2021, Scott Slattery wrote:

Date: Wed, 24 Mar 2021 08:58:07 -0700
From: Scott Slattery <scott.slatt...@motorolasolutions.com>
To: mariusz.k...@safecomp.com
Cc: rsyslog-users <rsyslog@lists.adiscon.com>, David Lang <
da...@lang.hm

Subject: Re: [rsyslog] Altering forwarded logfile names

Yes, all the logs are coming in this way. There are three
separate
logs
being sent and each is incorrect in its own right but the same
format
behavior is consistent across each of the three logs. I will
look
further
into the suggestions you have provided and have already
reached out
to
the
appliance support team and will raise the nonconformance with
the
RFC.

This does provide me some valuable guidance and I thank each
of you
for
your feedback.

*Scott Slattery*

*Sr. Systems & Cloud Architect*

*Cloud, Compute, Information & Architecture Team*

motorolasolutions.com

*O: 602.529.8226*

*E*: scott.slatt...@motorolasolutions.com




On Tue, Mar 23, 2021 at 11:22 PM <mariusz.k...@safecomp.com>
wrote:

There's something strange with this log entry. Notice that it
looks
as
if
it were more than one log entries joined with LF character
(escaped
on
input as #012). And all "further" entries start with a - still
nonconformant to the RFC but "fuller" - timestamp containing
year.It's
the
leading event that seems to be trimmed in the front somehow.
Do
all
events
arrive like this?Wysłano z telefonu Samsung<div>
</div><div>
</div><!-- originalMessage --><div>-------- Original message
--------</div><div>From: Scott Slattery via rsyslog <
rsyslog@lists.adiscon.com> </div><div>Date: 24/03/2021  01:52
(GMT+01:00) </div><div>To: David Lang <da...@lang.hm>
</div><div>Cc:
Scott Slattery <scott.slatt...@motorolasolutions.com>, Scott
Slattery
via
rsyslog <rsyslog@lists.adiscon.com> </div><div>Subject: Re:
[rsyslog]
Altering forwarded logfile names </div><div>
</div>

Hi David, fortunately I had already done this. I'm including
an
actual
log
entry but have anonymized the data to keep the actual user and
email
address confidential:

Debug line with all properties:
FROMHOST: 'ause1oagatst02.aws.mycompany.com'
, fromhost-ip: '10.41.102.143'
, HOSTNAME: 'ause1oagatst02.aws.mycompany.com'
, PRI: 13,
syslogtag '03-23T16:'
, programname: '03-23T16'
, APP-NAME: '03-23T16'
, PROCID: '-'
, MSGID: '-'
, TIMNESTAMP: 'Mar 23 21:47:13'
, STRUCTURED-DATA: '-'
, *msg*: '47:20.708-05:00 AUSE1OAGATST02.aws.mycompany.com
ACCESS_GATEWAY
ACCESS AUTHZ SESSION INFO USER_SESSION
[SESSION_ID="_eddf580f5a5b9436ea27e5e6fa4515a2175ca69ac0"
SUBJECT="
joe.u...@mycompantions.com" APP="Ignio Uat OAG"
APP_TYPE="HEADERWEB2015_APP" APP_DOMAIN="
apigniodashboard-uat.mycompany.com"
RESULT="ALLOW" REASON="SESSION_INTEGRITY_VERIFIED"
REMOTE_IP="10.44.65.38"
USER_AGENT="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192
Safari/537.36"]
SRF Request RemoteIP: 10.44.65.38 verified session RemoteIP:
10.44.65.38#0122021-03-23T16:47:20.708-05:00
AUSE1OAGATST02.aws.mycompany.com ACCESS_GATEWAY ACCESS AUTHZ
POLICY
INFO
USER_AUTHZ
[SESSION_ID="_eddf580f5a5b9436ea27e5e6fa4515a2175ca69ac0"
SUBJECT="joe.u...@mycompantions.com"
RESOURCE="/_dash-dependencies"
METHOD="GET" POLICY="root" POLICY_TYPE="PROTECTED"
DURATION="0"
APP="Ignio
Uat OAG" APP_TYPE="HEADERWEB2015_APP" APP_DOMAIN="
apigniodashboard-uat.mycompany.com" RESULT="ALLOW"
REASON="N/A -
SESSIONID=_eddf580f5a5b9436ea27e5e6fa4515a2175ca69ac0
oag_username=
joe.u...@mycompantions.com RelayDomain=
apigniodashboard-uat.mycompany.com
UserName=joe.u...@mycompantions.com






SourceAuthNType=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
RemoteIP=10.44.65.38 USER_AGENT=Mozilla/5.0 (Macintosh; Intel
Mac
OS X
10_15_7) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/88.0.4324.192
Safari/537.36 creationTime=1616536016811
maxInactiveInterval=3600000
maxActiveInterval=28800000 lastAccessedTime=1616536029221 "
REMOTE_IP="10.44.65.38" USER_AGENT="Mozilla/5.0 (Macintosh;
Intel
Mac
OS X
10_15_7) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/88.0.4324.192
Safari/537.36"] allow access to
resource#0122021-03-23T16:47:20.711-05:00
AUSE1OAGATST02.aws.mycompany.com ACCESS_GATEWAY ACCESS AUTHZ
SESSION
INFO
USER_SESSION
[SESSION_ID="_eddf580f5a5b9436ea27e5e6fa4515a2175ca69ac0"
SUBJECT="Joe.User@mycompan'
*escaped msg*: '47:20.708-05:00
AUSE1OAGATST02.aws.mycompany.com
ACCESS_GATEWAY ACCESS AUTHZ SESSION INFO USER_SESSION
[SESSION_ID="_eddf580f5a5b9436ea27e5e6fa4515a2175ca69ac0"
SUBJECT="
joe.u...@mycompantions.com" APP="Ignio Uat OAG"
APP_TYPE="HEADERWEB2015_APP" APP_DOMAIN="
apigniodashboard-uat.mycompany.com"
RESULT="ALLOW" REASON="SESSION_INTEGRITY_VERIFIED"
REMOTE_IP="10.44.65.38"
USER_AGENT="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192
Safari/537.36"]
SRF Request RemoteIP: 10.44.65.38 verified session RemoteIP:
10.44.65.38#0122021-03-23T16:47:20.708-05:00
AUSE1OAGATST02.aws.mycompany.com ACCESS_GATEWAY ACCESS AUTHZ
POLICY
INFO
USER_AUTHZ
[SESSION_ID="_eddf580f5a5b9436ea27e5e6fa4515a2175ca69ac0"
SUBJECT="joe.u...@mycompantions.com"
RESOURCE="/_dash-dependencies"
METHOD="GET" POLICY="root" POLICY_TYPE="PROTECTED"
DURATION="0"
APP="Ignio
Uat OAG" APP_TYPE="HEADERWEB2015_APP" APP_DOMAIN="
apigniodashboard-uat.mycompany.com" RESULT="ALLOW"
REASON="N/A -
SESSIONID=_eddf580f5a5b9436ea27e5e6fa4515a2175ca69ac0
oag_username=
joe.u...@mycompantions.com RelayDomain=
apigniodashboard-uat.mycompany.com
UserName=joe.u...@mycompantions.com






SourceAuthNType=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
RemoteIP=10.44.65.38 USER_AGENT=Mozilla/5.0 (Macintosh; Intel
Mac
OS X
10_15_7) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/88.0.4324.192
Safari/537.36 creationTime=1616536016811
maxInactiveInterval=3600000
maxActiveInterval=28800000 lastAccessedTime=1616536029221 "
REMOTE_IP="10.44.65.38" USER_AGENT="Mozilla/5.0 (Macintosh;
Intel
Mac
OS X
10_15_7) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/88.0.4324.192
Safari/537.36"] allow access to
resource#0122021-03-23T16:47:20.711-05:00
AUSE1OAGATST02.aws.mycompany.com ACCESS_GATEWAY ACCESS AUTHZ
SESSION
INFO
USER_SESSION
[SESSION_ID="_eddf580f5a5b9436ea27e5e6fa4515a2175ca69ac0"
SUBJECT="Joe.User@mycompan'
*rawmsg*: '03-23T16:47:20.708-05:00
AUSE1OAGATST02.aws.mycompany.com
ACCESS_GATEWAY *ACCESS* AUTHZ SESSION INFO USER_SESSION
[SESSION_ID="_eddf580f5a5b9436ea27e5e6fa4515a2175ca69ac0"
SUBJECT="
joe.u...@mycompantions.com" APP="Ignio Uat OAG"
APP_TYPE="HEADERWEB2015_APP" APP_DOMAIN="
apigniodashboard-uat.mycompany.com"
RESULT="ALLOW" REASON="SESSION_INTEGRITY_VERIFIED"
REMOTE_IP="10.44.65.38"
USER_AGENT="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192
Safari/537.36"]
SRF Request RemoteIP: 10.44.65.38 verified session RemoteIP:
10.44.65.38#0122021-03-23T16:47:20.708-05:00
AUSE1OAGATST02.aws.mycompany.com ACCESS_GATEWAY ACCESS AUTHZ
POLICY
INFO
USER_AUTHZ
[SESSION_ID="_eddf580f5a5b9436ea27e5e6fa4515a2175ca69ac0"
SUBJECT="joe.u...@mycompantions.com"
RESOURCE="/_dash-dependencies"
METHOD="GET" POLICY="root" POLICY_TYPE="PROTECTED"
DURATION="0"
APP="Ignio
Uat OAG" APP_TYPE="HEADERWEB2015_APP" APP_DOMAIN="
apigniodashboard-uat.mycompany.com" RESULT="ALLOW"
REASON="N/A -
SESSIONID=_eddf580f5a5b9436ea27e5e6fa4515a2175ca69ac0
oag_username=
joe.u...@mycompantions.com RelayDomain=
apigniodashboard-uat.mycompany.com
UserName=joe.u...@mycompantions.com






SourceAuthNType=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
RemoteIP=10.44.65.38 USER_AGENT=Mozilla/5.0 (Macintosh; Intel
Mac
OS X
10_15_7) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/88.0.4324.192
Safari/537.36 creationTime=1616536016811
maxInactiveInterval=3600000
maxActiveInterval=28800000 lastAccessedTime=1616536029221 "
REMOTE_IP="10.44.65.38" USER_AGENT="Mozilla/5.0 (Macintosh;
Intel
Mac
OS X
10_15_7) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/88.0.4324.192
Safari/537.36"] allow access to
resource#0122021-03-23T16:47:20.711-05:00
AUSE1OAGATST02.aws.mycompany.com ACCESS_GATEWAY ACCESS AUTHZ
SESSION
INFO
USER_SESSION
[SESSION_ID="_eddf580f5a5b9436ea27e5e6fa4515a2175ca69ac0"
SUBJECT="Joe.User@mycompan'


By inspecting the rawmsg, I can see that field four
(space-delimited)
indicates this is the ACCESS log. So if I were able to
extract the
log
identifier from the msg, I could then write all access logs
to the
same
daily file. There are other formats as well from the same
device
but the
idea is the same.

*Scott Slattery*

*Sr. Systems & Cloud Architect*

*Cloud, Compute, Information & Architecture Team*

motorolasolutions.com

*O: 602.529.8226*

*E*: scott.slatt...@motorolasolutions.com




On Tue, Mar 23, 2021 at 5:29 PM David Lang <da...@lang.hm>
wrote:

the source logfile name is not included in the payload by the
syslog
spec.
It
may be in the case of your appliance, but we would need to
see a
sample
log to
understand ho to parse it.

based on your template, you are using app-name, which may be
listed
separtely if
it's a RFC5424 format log, or may be part of the syslog tag
if
it's a
RFC3164
format log over the wire (neither format has a way to
specify a
source
log
file
by default)

you can look at






https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Chojins_LinuxCNC-2DPolargraph&d=DwIDaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=9VZN8jOeh6Wq3zsBr6Mr_GSxmEpodGbXQ2UxP3oRpciBnWp1cJKyh3iyX6xKS_Zd&m=N7tTREp8_2WP8ZJPT8UpZsuFedG7Q4cil9vsQoiSiGM&s=XRQ9OP8K-KeJO3-s6-unMBIRqEZONzs6npmrQYaXnds&e=
and see the *-cc
options that you could apply to the app-name to eliminate
control
characters.

Again, we really need to see the original log message to
understand
what's
what.
Please log it with the templateRSYSLOG_DebugFormat so we can
see
exactly
what is
sent over the wire and how rsyslog has parsed it.

David Lang

  On Tue, 23 Mar 2021, Scott Slattery via rsyslog
wrote:

Date: Tue, 23 Mar 2021 16:05:45 -0700
From: Scott Slattery via rsyslog <rsyslog@lists.adiscon.com

To: John Chivian <jchiv...@chivian.com>
Cc: Scott Slattery <scott.slatt...@motorolasolutions.com>,
    rsyslog-users <rsyslog@lists.adiscon.com>
Subject: Re: [rsyslog] Altering forwarded logfile names

Thanks, John, let me try to clarify what I mean.

Normally when I forward from a remote server to the central
log
server, I
can include a tag that can then be used to determine the
file
name I
want
on the central server. Since I have no real way to include
this
tag
from
the appliance, this is not an option.

I'm looking for a way of inspecting the incoming packets to
determining
the
source logfile name (which is included in the payload) and
use
that
filename on the target central server. Since there are
multiple
logs
being
sent (access, audit, monitor, etc.), I'd like to segregate
these
into
their
own files. I'm already using a template with the host
information
to
dynamically create the file names. I just don't know how I
can
go
beyond
this to also include the source logname.

Here's the template I'm using. It works for all other hosts
where
I
can
configure the tag but I get garbage names from the
appliance. I
had
hoped
that the appliance included some standard syslog tags but it
doesn't
seem
so.

template(name="DynRemoteLogFile" type="string"







string="/remote/%FROMHOST%-%FROMHOST-IP%/%$year%-%$month%-%$day%-%app-name%.log")

*Scott Slattery*

*Sr. Systems & Cloud Architect*

*Cloud, Compute, Information & Architecture Team*

motorolasolutions.com

*O: 602.529.8226*

*E*: scott.slatt...@motorolasolutions.com




On Tue, Mar 23, 2021 at 3:30 PM John Chivian <
jchiv...@chivian.com>
wrote:

Your use of the term “file name” is confusing.  When
senders
deliver
to
rsyslog over the network there is no exchange of files or
filenames,
only
packets of information.  Those packets are expected to be
in a
format
that
syslog understands such that useful information (header
elements
and
message body) may be parsed from them.  If you as the
rsyslog
admin
choose
to use some of that header information to compose
filenames for
output
files, then yes you are sort of at the mercy of the senders
content
(especially if the sender doesn’t follow the syslog rules).
However,
there
are functions in the advanced syntax that can be used to
perform
the
type
of character replacements you’re talking about.

It is common practice to use the syslog header/rsyslog
property
element
called “hostname” for just such purposes.  Is this what
you’re
talking
about?  You’d have to provide your configuration for real
analysis,
at
least the part you perceive to be responsible for the
problem.

Regards,



On Mar 23, 2021, at 12:35, Scott Slattery via rsyslog <
rsyslog@lists.adiscon.com> wrote:

I have a configured central log collector using rsyslog.
A few
of
the
devices forwarding their logs are appliances that have no
configuration
options other than the IP forwarding address and
protocol. I
cannot
control
what file names are being sent.

Unfortunately, they are sending unintelligible file names
with
characters
that normally would be escaped. Is there any way I can
control
or
alter
the
incoming file name to normalize it to avoid these odd
characters?

For example, could I establish a character map that maps
the
unallowed
character to something acceptable?

thanks,

*Scott Slattery*

*Sr. Systems & Cloud Architect*

*Cloud, Compute, Information & Architecture Team*

motorolasolutions.com

*O: 602.529.822*

*E*: scott.slatt...@motorolasolutions.com

--


*For more information on how and why we collect your
personal
information, please visit our Privacy Policy
<







https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement
.*
_______________________________________________
rsyslog mailing list








https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.adiscon.net_mailman_listinfo_rsyslog&d=DwIFaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=9VZN8jOeh6Wq3zsBr6Mr_GSxmEpodGbXQ2UxP3oRpciBnWp1cJKyh3iyX6xKS_Zd&m=F25vuEW_UOr4xhEXRHv4FYzBC10xi8a7L7cY9KDJz-E&s=O-radZKC6RhALSGrunmgfnDcUe0FBEzQXlwVMv4rwrk&e=








https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_professional-2Dservices_&d=DwIFaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=9VZN8jOeh6Wq3zsBr6Mr_GSxmEpodGbXQ2UxP3oRpciBnWp1cJKyh3iyX6xKS_Zd&m=F25vuEW_UOr4xhEXRHv4FYzBC10xi8a7L7cY9KDJz-E&s=Ujl6rNYsQwlkacdBkNSQI3_ugt9iTahsA2ALpSb1zWA&e=
What's up with rsyslog? Follow







https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rgerhards&d=DwIFaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=9VZN8jOeh6Wq3zsBr6Mr_GSxmEpodGbXQ2UxP3oRpciBnWp1cJKyh3iyX6xKS_Zd&m=F25vuEW_UOr4xhEXRHv4FYzBC10xi8a7L7cY9KDJz-E&s=5gFALcKlKXLfCND69qR14lRU4iA42kMWjsC9PDoIb3Q&e=
NOTE WELL: This is a PUBLIC mailing list, posts are
ARCHIVED
by
a
myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST
if
you
DON'T LIKE THAT.



--


*For more information on how and why we collect your
personal
information, please visit our Privacy Policy
<






https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement
.*
_______________________________________________
rsyslog mailing list







https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.adiscon.net_mailman_listinfo_rsyslog&d=DwIDaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=9VZN8jOeh6Wq3zsBr6Mr_GSxmEpodGbXQ2UxP3oRpciBnWp1cJKyh3iyX6xKS_Zd&m=N7tTREp8_2WP8ZJPT8UpZsuFedG7Q4cil9vsQoiSiGM&s=4ENTgbqNRL4m9EpaPD487wHPCEOI1UMUrZ6zizJ25HE&e=







https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_professional-2Dservices_&d=DwIDaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=9VZN8jOeh6Wq3zsBr6Mr_GSxmEpodGbXQ2UxP3oRpciBnWp1cJKyh3iyX6xKS_Zd&m=N7tTREp8_2WP8ZJPT8UpZsuFedG7Q4cil9vsQoiSiGM&s=YboIrpBbwiXlhlR3JZnvNDi2QWxYQqNifb7d8JV6Xn0&e=
What's up with rsyslog? Follow






https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rgerhards&d=DwIDaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=9VZN8jOeh6Wq3zsBr6Mr_GSxmEpodGbXQ2UxP3oRpciBnWp1cJKyh3iyX6xKS_Zd&m=N7tTREp8_2WP8ZJPT8UpZsuFedG7Q4cil9vsQoiSiGM&s=gVD-Vwy9VAK7xAHPrmGhwhORXImwEoBcYZZVVG-KbZQ&e=
NOTE WELL: This is a PUBLIC mailing list, posts are
ARCHIVED by
a
myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST
if
you
DON'T LIKE THAT.

--


*For more information on how and why we collect your personal
information, please visit our Privacy Policy
<





https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement
.*
_______________________________________________
rsyslog mailing list






https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.adiscon.net_mailman_listinfo_rsyslog&d=DwIGaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=9VZN8jOeh6Wq3zsBr6Mr_GSxmEpodGbXQ2UxP3oRpciBnWp1cJKyh3iyX6xKS_Zd&m=SloAZVc0I2seYTg6VejDjZaHBqa6pVo7oFvF4zTWPok&s=XmKOVDZwhbJF7GnsDKu-uoz3xzXXdd_kesx3hMS_RFo&e=






https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_professional-2Dservices_&d=DwIGaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=9VZN8jOeh6Wq3zsBr6Mr_GSxmEpodGbXQ2UxP3oRpciBnWp1cJKyh3iyX6xKS_Zd&m=SloAZVc0I2seYTg6VejDjZaHBqa6pVo7oFvF4zTWPok&s=cga3HVkV7UUOhHIbjCzyyabOX7hrcgro7F2gU2QB284&e=
What's up with rsyslog? Follow





https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rgerhards&d=DwIGaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=9VZN8jOeh6Wq3zsBr6Mr_GSxmEpodGbXQ2UxP3oRpciBnWp1cJKyh3iyX6xKS_Zd&m=SloAZVc0I2seYTg6VejDjZaHBqa6pVo7oFvF4zTWPok&s=sH7WzGFu43DQHvNetrIn1fmGK-hbU7RsZv_t9hcmugw&e=
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED
by a
myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if
you
DON'T LIKE THAT.



--


*For more information on how and why we collect your personal
information, please visit our Privacy Policy
<



https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement
.*
_______________________________________________
rsyslog mailing list




https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.adiscon.net_mailman_listinfo_rsyslog&d=DwIFaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=9VZN8jOeh6Wq3zsBr6Mr_GSxmEpodGbXQ2UxP3oRpciBnWp1cJKyh3iyX6xKS_Zd&m=vid2hj5QTU4sYumJIQ5fK64MsYLQqaSGhVmAC2kqwJQ&s=7hc9b2gSfvsfQzXvsRVXqGeP4Rz_tJtrykpjqkGBIdk&e=




https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_professional-2Dservices_&d=DwIFaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=9VZN8jOeh6Wq3zsBr6Mr_GSxmEpodGbXQ2UxP3oRpciBnWp1cJKyh3iyX6xKS_Zd&m=vid2hj5QTU4sYumJIQ5fK64MsYLQqaSGhVmAC2kqwJQ&s=bDybhvts9KqI-WEfMHo7O40ulQK5M6Tg4tnKNRRIhE8&e=
What's up with rsyslog? Follow



https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rgerhards&d=DwIFaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=9VZN8jOeh6Wq3zsBr6Mr_GSxmEpodGbXQ2UxP3oRpciBnWp1cJKyh3iyX6xKS_Zd&m=vid2hj5QTU4sYumJIQ5fK64MsYLQqaSGhVmAC2kqwJQ&s=zPhpcUPlK_CWLiU75_WwjyQGz5mFTiXc1yyBIfppkrI&e=
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you
DON'T LIKE THAT.









*For more information on how and why we collect your personal information,
please visit our Privacy Policy
<https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*


_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.