On Fri, 6 Mar 2009, david@lang.hm wrote:
> On Fri, 6 Mar 2009, Rainer Gerhards wrote:
>
>> That's why I am after the log samples :) I just termed a new acronym
>> this afternoon:
>> YAMSF - yet another malformed syslog format ;)
>>
>> http://blog.gerhards.net/2009/02/calling-for-log-samples.html
>>
>> I try hard to get the fields right, but often this is impossible,
>> resulting in the issues you see.
>
> these logs come from several different servers, including different OSs,
> but all are misparsed by rsyslog.
>
> I am not seeing anything obviously wrong with them
>
> <167>Mar 6 16:57:54 172.20.245.8 %PIX-7-710005: UDP request discarded from SERVER1/2741 to test_app:255.255.255.255/61601
> <29>Mar 6 16:57:54 methane1d-b plug-gw[25213]: connect host= /192.168.243.37 destination=179.50.100.130/60029
> <29>Mar 6 16:57:54 methane1a-b plug-gw[29368]: disconnect host= /192.168.242.119 destination=179.50.100.52/14733 in=357 out=71 duration=1
> <29>Mar 6 16:57:54 happy1-b plug-gw[30259]: connect host= /192.168.22.8 destination=192.168.104.31/5667
> <22>Mar 6 16:57:54 192.168.242.66 sendmail[13328]: n270vrSH013326: to=<blah@HOTMAIL.COM>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=37052, relay=mx1.hotmail.com. [65.54.244.8], dsn=2.0.0, stat=Sent ( <200903070057.n270vrL174106@w31.diginsite.com> Queued mail for delivery)
> <29>Mar 6 16:57:54 corpmail1-p netacl[3839]: permit host= /10.201.7.120 service=telnetd execute=/usr/local/etc/tn-gw
doing some more digging I see some very definant problems
I created the following template
$template DumpAll,"msg =%msg%\nrawmsg =%rawmsg%\nuxtradmsg =%uxtradmsg%\nhostname =%hostname%\nsource =%source%\nfromhost =%fromhost%\nfromhost-ip =%fromhost-ip%\nsyslogtag =%syslogtag%\nprogramname =%programname%\npri =%pri%\npri-text =%pri-text%\niut =%iut%\nsyslogfacility =%syslogfacility%\nsyslogfacility-text =%syslogfacility-text%\nsyslogseverity =%syslogseverity%\nsyslogseverity-text =%syslogseverity-text%\nsyslogpriority =%syslogpriority%\nsyslogpriority-text =%syslogpriority-text%\ntimegenerated =%timegenerated%\ntimereported =%timereported%\ntimestamp =%timestamp%\nprotocol-version =%protocol-version%\nstructured-data =%structured-data%\napp-name =%app-name%\nprocid =%procid%\nmsgid =%msgid%\ninputname =%inputname%\n\n"
which creates a nice table for each log message showing what's in each
property.
things that I am seeing
hostname and source are fromhost rather than the name/IP that's in the
record.
msg includes the programname
programname and appname are what hostname should be
David Lang
msg = %PIX-7-710005: UDP request discarded from BOK37UAT/3683 to test_app:255.255.255.255/61601
rawmsg =<167>Mar 6 18:33:47 172.20.245.8 %PIX-7-710005: UDP request discarded from BOK37UAT/3683 to test_app:255.255.255.255/61601
uxtradmsg =Mar 6 18:33:47 172.20.245.8 %PIX-7-710005: UDP request discarded from BOK37UAT/3683 to test_app:255.255.255.255/61601
hostname =itascan1a-p
source =itascan1a-p
fromhost =itascan1a-p
fromhost-ip =192.168.210.6
syslogtag =172.20.245.8
programname =172.20.245.8
pri =167
pri-text =local4.debug<167>
iut =1
syslogfacility =20
syslogfacility-text =local4
syslogseverity =7
syslogseverity-text =debug
syslogpriority =7
syslogpriority-text =debug
timegenerated =Mar 7 02:33:47
timereported =Mar 6 18:33:47
timestamp =Mar 6 18:33:47
protocol-version =0
structured-data =-
app-name =172.20.245.8
procid =-
msgid =-
inputname =imudp
msg = plug-gw[28055]: disconnect host= /192.168.242.212 destination=179.50.100.130/12773 in=0 out=0 duration=0
rawmsg =<29>Mar 6 18:33:47 methane1d-b plug-gw[28055]: disconnect host= /192.168.242.212 destination=179.50.100.130/12773 in=0 out=0 duration=0
uxtradmsg =Mar 6 18:33:47 methane1d-b plug-gw[28055]: disconnect host= /192.168.242.212 destination=179.50.100.130/12773 in=0 out=0 duration=0
hostname =itascan1a-p
source =itascan1a-p
fromhost =itascan1a-p
fromhost-ip =192.168.210.6
syslogtag =methane1d-b
programname =methane1d-b
pri =29
pri-text =daemon.notice<29>
iut =1
syslogfacility =3
syslogfacility-text =daemon
syslogseverity =5
syslogseverity-text =notice
syslogpriority =5
syslogpriority-text =notice
timegenerated =Mar 7 02:33:47
timereported =Mar 6 18:33:47
timestamp =Mar 6 18:33:47
protocol-version =0
structured-data =-
app-name =methane1d-b
procid =-
msgid =-
inputname =imudp
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com