Mailing List Archive

You screw nothing - that's a bug in v4. You need to pull the latest devel
from git ;) A new release is due soon.

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Luis Fernando Muñoz Mejías
> Sent: Thursday, March 26, 2009 3:29 PM
> To: rsyslog-users
> Subject: [rsyslog] Weird problems when combining rsyslog 3 and 4
>
> Hi,
>
> I have a funny problem. Around here we have a number of nodes using
> old, syslogd, which report to their headnodes, which use rsyslog v3,
> wich keep relaying till I get a small copy on a test box. This test box
> uses, since yesterday, rsyslog v4.
>
> I noticed that for rsyslog v4, the last relay is considered to be the
> source host, the real source host is considered to be the syslogtag and
> everything else is inside the %msg% property. For the default template,
> I get messages like these:
>
> 2009-03-26T00:00:00+01:00 relayhost sourcehost1 cvs: GSSAPI userok:
> cvsadmin GSS_C_MUTUAL_FLAG GSS_C_REPLAY_FLAG GSS_C_INTEG_FLAG
> GSS_C_CONF_FLAG
> 2009-03-26T00:00:00+01:00 relayhost sourcehost2 cvs: GSSAPI userok:
> cvsadmin GSS_C_MUTUAL_FLAG GSS_C_REPLAY_FLAG GSS_C_INTEG_FLAG
> GSS_C_CONF_FLAG
>
> And, as I used to have a single file per host, I now have a single,
> huge
> "relayhost" file. Filters based on source or program name are broken,
> of
> course.
>
> What did I screw when upgrading?
>
> Thanks.
> --
> Luis Fernando Muñoz Mejías
> Luis.Fernando.Munoz.Mejias@cern.ch
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

El Jueves, 26 de Marzo de 2009 15:30, Rainer Gerhards escribió:
> You screw nothing - that's a bug in v4. You need to pull the latest devel
> from git ;)

I just tried (if it's "master" branch, I mean), with no success.

Cheers.
--
Luis Fernando Muñoz Mejías
Luis.Fernando.Munoz.Mejias@cern.ch

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

It's the master branch and I am sure I fixed this... mhhh... Need to finally
complete what I am working on right now, will look after that...

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Luis Fernando Muñoz Mejías
> Sent: Thursday, March 26, 2009 4:24 PM
> To: rsyslog@lists.adiscon.com
> Subject: Re: [rsyslog] Weird problems when combining rsyslog 3 and 4
>
> El Jueves, 26 de Marzo de 2009 15:30, Rainer Gerhards escribió:
> > You screw nothing - that's a bug in v4. You need to pull the latest
> devel
> > from git ;)
>
> I just tried (if it's "master" branch, I mean), with no success.
>
> Cheers.
> --
> Luis Fernando Muñoz Mejías
> Luis.Fernando.Munoz.Mejias@cern.ch
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

El Jueves, 26 de Marzo de 2009 17:04, Rainer Gerhards escribió:
> It's the master branch and I am sure I fixed this...

I'm sorry to say it's not. I just pulled git master branch, rebuilt,
reinstalled and no changes.

5 minutes ago I downgraded to v3.20, and my new log files appeared as I
expected them to, and my filters work as expected.

> mhhh... Need to finally complete what I am working on right now, will
> look after that...

Of course.

Cheers.
--
Luis Fernando Muñoz Mejías
Luis.Fernando.Munoz.Mejias@cern.ch

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

Can you send me an on-the-wire sample of those messages (I mean that are
invalidly interpreted). I have now created the parser test suite and they
would make a good addition, especially as I need to troubleshoot them ;)

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Luis Fernando Muñoz Mejías
> Sent: Friday, March 27, 2009 6:10 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Weird problems when combining rsyslog 3 and 4
>
> El Jueves, 26 de Marzo de 2009 17:04, Rainer Gerhards escribió:
> > It's the master branch and I am sure I fixed this...
>
> I'm sorry to say it's not. I just pulled git master branch, rebuilt,
> reinstalled and no changes.
>
> 5 minutes ago I downgraded to v3.20, and my new log files appeared as I
> expected them to, and my filters work as expected.
>
> > mhhh... Need to finally complete what I am working on right now, will
> > look after that...
>
> Of course.
>
> Cheers.
> --
> Luis Fernando Muñoz Mejías
> Luis.Fernando.Munoz.Mejias@cern.ch
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

Rainer,

> Can you send me an on-the-wire sample of those messages (I mean that are
> invalidly interpreted). I have now created the parser test suite and they
> would make a good addition, especially as I need to troubleshoot them ;)
>
> Rainer

Before disclosing enough data I have to ask for permission. I can tell
you that the last hop in this relay chain is using rsyslog v3, and that
the format I got (tcpdump dixit) for these messages is always like this:

<38>Mar 27 19:06:53 source_server sshd(pam_unix)[12750]: session opened
for user foo by (uid=0)

And what gets actually logged for that is:

2009-03-27T19:06:53+01:00 last_hop_server source_server
sshd(pam_unix)[12750]: session opened for user foo by (uid=0)

Then, last_hop_server becomes %hostname% and source_server becomes
%syslogtag%.

This last hop server is using rsyslog v3, so it seems to me I have to
instruct v4 that the input is coming in a non-default format.

Cheers.
--
Luis Fernando Muñoz Mejías
Luis.Fernando.Munoz.Mejias@cern.ch

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

These samples are enough, no need to disclose more. Single lines are sufficient, as long as they can repro the problem :)

rainer

----- Ursprüngliche Nachricht -----
Von: "Luis Fernando Muñoz Mejías" <Luis.Fernando.Munoz.Mejias@cern.ch>
An: "rsyslog-users" <rsyslog@lists.adiscon.com>
Gesendet: 27.03.09 19:23
Betreff: Re: [rsyslog] Weird problems when combining rsyslog 3 and 4

Rainer,

> Can you send me an on-the-wire sample of those messages (I mean that are
> invalidly interpreted). I have now created the parser test suite and they
> would make a good addition, especially as I need to troubleshoot them ;)
>
> Rainer

Before disclosing enough data I have to ask for permission. I can tell
you that the last hop in this relay chain is using rsyslog v3, and that
the format I got (tcpdump dixit) for these messages is always like this:

<38>Mar 27 19:06:53 source_server sshd(pam_unix)[12750]: session opened
for user foo by (uid=0)

And what gets actually logged for that is:

2009-03-27T19:06:53+01:00 last_hop_server source_server
sshd(pam_unix)[12750]: session opened for user foo by (uid=0)

Then, last_hop_server becomes %hostname% and source_server becomes
%syslogtag%.

This last hop server is using rsyslog v3, so it seems to me I have to
instruct v4 that the input is coming in a non-default format.

Cheers.
--
Luis Fernando Muñoz Mejías
Luis.Fernando.Munoz.Mejias@cern.ch

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

Sorry, this slipped my attention. However, I have just added this case to the
parser test suite and I do not see any parsing error. Maybe a problem with
the template (but I don't think so)? Could you re-try and provide me a debug
log (need parsing and sending) from when this problem occurred.

Thanks,
Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Friday, March 27, 2009 10:38 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Weird problems when combining rsyslog 3 and 4
>
> These samples are enough, no need to disclose more. Single lines are
> sufficient, as long as they can repro the problem :)
>
> rainer
>
> ----- Ursprüngliche Nachricht -----
> Von: "Luis Fernando Muñoz Mejías" <Luis.Fernando.Munoz.Mejias@cern.ch>
> An: "rsyslog-users" <rsyslog@lists.adiscon.com>
> Gesendet: 27.03.09 19:23
> Betreff: Re: [rsyslog] Weird problems when combining rsyslog 3 and 4
>
> Rainer,
>
> > Can you send me an on-the-wire sample of those messages (I mean that
> are
> > invalidly interpreted). I have now created the parser test suite and
> they
> > would make a good addition, especially as I need to troubleshoot them
> ;)
> >
> > Rainer
>
> Before disclosing enough data I have to ask for permission. I can tell
> you that the last hop in this relay chain is using rsyslog v3, and that
> the format I got (tcpdump dixit) for these messages is always like
> this:
>
> <38>Mar 27 19:06:53 source_server sshd(pam_unix)[12750]: session opened
> for user foo by (uid=0)
>
> And what gets actually logged for that is:
>
> 2009-03-27T19:06:53+01:00 last_hop_server source_server
> sshd(pam_unix)[12750]: session opened for user foo by (uid=0)
>
> Then, last_hop_server becomes %hostname% and source_server becomes
> %syslogtag%.
>
> This last hop server is using rsyslog v3, so it seems to me I have to
> instruct v4 that the input is coming in a non-default format.
>
> Cheers.
> --
> Luis Fernando Muñoz Mejías
> Luis.Fernando.Munoz.Mejias@cern.ch
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com