Mailing List Archive

Could you get me the debug output while such a message is being
processed? That would probably be useful...

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com
> [mailto:rsyslog-bounces@lists.adiscon.com] On Behalf Of david@lang.hm
> Sent: Friday, October 24, 2008 11:48 PM
> To: rsyslog-users
> Subject: [rsyslog] parsing error with imudp?
>
> I'm constructing custom output formats and it looks like
> things are not
> gettng parsed as I would expect.
>
> the incoming logs look like
>
> 14:35:37.480815 IP 192.168.210.6.32769 > 192.168.210.5.514: SYSLOG
> daemon.notice, length: 143
> E....j..@..z..............,.<29>Oct 24 14:35:37 179.50.100.86
> plug-gw[13051]: disconnect host= /192.168.242.12
> destination=179.50.100.52/14872 in=1069 out=71 duration=1
>
> 14:35:37.480882 IP 192.168.210.6.32769 > 192.168.210.5.514: SYSLOG
> daemon.notice, length: 135
> E....k..@..................|<29>Oct 24 14:35:37 happy1-p
> plug-gw[10883]:
> disconnect host= /10.201.7.120 destination=192.168.104.31/5667 in=132
> out=720 duration=1
>
>
> what is unexpected is that tag is the hostname/IP and the
> plug-gw is part
> of the message
>
> the hostname field is getting populated with what I would
> expect to be in
> fromhost (the relay box that sent the message to me)
>
> the syslog daemons sending me the logs have been modified, so
> there is a
> possibility that I messed up on them and the format that's being sent
> isn't right, but if so I'm not seeing anything wrong with it.
>
> I am using the nextmaster branch.
>
> David Lang
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

On Sun, 26 Oct 2008, Rainer Gerhards wrote:

> Could you get me the debug output while such a message is being
> processed? That would probably be useful...

I'll have to recompile to get a build with all the debug fetures enabled.
I will do this tomorrow.

I did check rsyslog->rsyslog relay and saw the same thing (actually it was
sysklogd -> rsyslog -> rsyslog. the first rsyslog shows the correct thing,
the second rsyslog shows the hostname of the first, with the hostname of
the sysklog box in the message)

David Lang

> Rainer
>
>> -----Original Message-----
>> From: rsyslog-bounces@lists.adiscon.com
>> [mailto:rsyslog-bounces@lists.adiscon.com] On Behalf Of david@lang.hm
>> Sent: Friday, October 24, 2008 11:48 PM
>> To: rsyslog-users
>> Subject: [rsyslog] parsing error with imudp?
>>
>> I'm constructing custom output formats and it looks like
>> things are not
>> gettng parsed as I would expect.
>>
>> the incoming logs look like
>>
>> 14:35:37.480815 IP 192.168.210.6.32769 > 192.168.210.5.514: SYSLOG
>> daemon.notice, length: 143
>> E....j..@..z..............,.<29>Oct 24 14:35:37 179.50.100.86
>> plug-gw[13051]: disconnect host= /192.168.242.12
>> destination=179.50.100.52/14872 in=1069 out=71 duration=1
>>
>> 14:35:37.480882 IP 192.168.210.6.32769 > 192.168.210.5.514: SYSLOG
>> daemon.notice, length: 135
>> E....k..@..................|<29>Oct 24 14:35:37 happy1-p
>> plug-gw[10883]:
>> disconnect host= /10.201.7.120 destination=192.168.104.31/5667 in=132
>> out=720 duration=1
>>
>>
>> what is unexpected is that tag is the hostname/IP and the
>> plug-gw is part
>> of the message
>>
>> the hostname field is getting populated with what I would
>> expect to be in
>> fromhost (the relay box that sent the message to me)
>>
>> the syslog daemons sending me the logs have been modified, so
>> there is a
>> possibility that I messed up on them and the format that's being sent
>> isn't right, but if so I'm not seeing anything wrong with it.
>>
>> I am using the nextmaster branch.
>>
>> David Lang
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

On Sun, 26 Oct 2008, david@lang.hm wrote:

> On Sun, 26 Oct 2008, Rainer Gerhards wrote:
>
>> Could you get me the debug output while such a message is being
>> processed? That would probably be useful...
>
> I'll have to recompile to get a build with all the debug fetures enabled.
> I will do this tomorrow.

1264.971559438:{6000}imudp.c: recv(4,266)/192.168.255.2,acl:1,msg:<13>Sep
18 00:44:18 secsec1 logger: this is a
test message 00000000000000000000
1264.971582626:{6000}imudp.c: main queue: entry added, size now 1 entries
1264.971595478:{6000}imudp.c: wtpAdviseMaxWorkers signals busy
1264.971611682:{6000}imudp.c: main queue: EnqueueMsg advised worker start
1264.971627886:{5997}main queue:Reg/w0: main queue: entry deleted, state
0, size now 0 entries
1264.971649678:{6000}imudp.c: Listening on UDP syslogd socket 4 (IPv4/port
514).
1264.971664206:{6000}imudp.c: --------imUDP calling select, active file
descriptors (max 4): 4
1264.971684042:{5997}main queue:Reg/w0: dropped LF at very end of message
(DropTrailingLF is set)
1264.971701084:{6000}imudp.c:
1264.971717009:{5997}main queue:Reg/w0: msg parser: flags 30, from
'192.168.255.2', msg <13>Sep 18 00:44:18 secse
c1 logger: this is a test message
000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000049
1264.971747461:{5997}main queue:Reg/w0: Message has legacy syslog format.
1264.971767577:{5997}main queue:Reg/w0: Called action, logging to
builtin-file
1264.971784898:{5997}main queue:Reg/w0: (/var/log/messages)
1264.971798867:{5997}main queue:Reg/w0: main queue:Reg/w0: worker IDLE,
waiting for work.
1265.971497411:{6000}imudp.c: Host name for your address (192.168.255.2)
unknown
1265.971509424:{6000}imudp.c: recv(4,266)/192.168.255.2,acl:1,msg:<13>Sep
18 00:44:18 secsec1 logger: this is a
test message 00000000000000000000
1265.971527863:{6000}imudp.c: main queue: entry added, size now 1 entries
1265.971538480:{6000}imudp.c: wtpAdviseMaxWorkers signals busy
1265.971554125:{6000}imudp.c: main queue: EnqueueMsg advised worker start
1265.971569491:{5997}main queue:Reg/w0: main queue: entry deleted, state
0, size now 0 entries
1265.971587372:{5997}main queue:Reg/w0: dropped LF at very end of message
(DropTrailingLF is set)
1265.971603017:{5997}main queue:Reg/w0: msg parser: flags 30, from
'192.168.255.2', msg <13>Sep 18 00:44:18 secse
c1 logger: this is a test message
000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000050
1265.971617824:{5997}main queue:Reg/w0: Message has legacy syslog format.
1265.971633749:{6000}imudp.c: Listening on UDP syslogd socket 4 (IPv4/port
514).
1265.971647159:{6000}imudp.c: --------imUDP calling select, active file
descriptors (max 4): 4
1265.971664760:{5997}main queue:Reg/w0: Called action, logging to
builtin-file
1265.971681523:{6000}imudp.c:
1265.971696610:{5997}main queue:Reg/w0: (/var/log/messages)
1265.971712814:{5997}main queue:Reg/w0: main queue:Reg/w0: worker IDLE,
waiting for work.
1266.971494055:{6000}imudp.c: Host name for your address (192.168.255.2)
unknown
1266.971506068:{6000}imudp.c: recv(4,266)/192.168.255.2,acl:1,msg:<13>Sep
18 00:44:18 secsec1 logger: this is a
test message 00000000000000000000

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com