I'm working on converting our current syslog-ng configurations over to
rsyslog, and in the course of doing so I've uncovered a weirdly malformed
log line from go_audit in my logs. This is on Ubuntu Xenial, so /dev/log is
a link into journalctl, and we're wondering if that might be related. These
are the lines I'm seeing (lightly sanitized, "..." is the beginning of the
payload):
Jan 17 16:20:26 rsyslogtest1-uswestxxxxxx :26-08:00 st1-uswestxxxxxx
go-audit[1143]: ...
It looks like there's a corresponding message in journalctl:
Jan 17 16:20:26 rsyslogtest1-uswestxxxxxx go-audit[1143]:
2019-01-17T16:20:26-08:00 rsyslogtest1-uswestxxxxxx go-audit[1143]: ...
And noticeably, we can see that the :26-08:00 is 32 characters *after* the
hostname in the journalctl logs and then the st1-uswestxxxxxx begins 32
characters *before* the payload. There are no rulesets acting on these log
lines aside from "dump everything in this file" at the moment. My closest
guess is that this is a weird interaction with the default templates (from
rsyslog.conf):
$ActionFileDefaultTemplate RSYSLOG_FileFormat
$ActionForwardDefaultTemplate RSYSLOG_ForwardFormat
Has anyone seen something like this before and knows what I need to do to
fix this? The go-audit messages in journalctl are the same on a similar
host running syslog-ng, but they don't seem to exhibit the same malformed
behavior, so I'm trying to figure out why this would happen with one but
not the other.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
rsyslog, and in the course of doing so I've uncovered a weirdly malformed
log line from go_audit in my logs. This is on Ubuntu Xenial, so /dev/log is
a link into journalctl, and we're wondering if that might be related. These
are the lines I'm seeing (lightly sanitized, "..." is the beginning of the
payload):
Jan 17 16:20:26 rsyslogtest1-uswestxxxxxx :26-08:00 st1-uswestxxxxxx
go-audit[1143]: ...
It looks like there's a corresponding message in journalctl:
Jan 17 16:20:26 rsyslogtest1-uswestxxxxxx go-audit[1143]:
2019-01-17T16:20:26-08:00 rsyslogtest1-uswestxxxxxx go-audit[1143]: ...
And noticeably, we can see that the :26-08:00 is 32 characters *after* the
hostname in the journalctl logs and then the st1-uswestxxxxxx begins 32
characters *before* the payload. There are no rulesets acting on these log
lines aside from "dump everything in this file" at the moment. My closest
guess is that this is a weird interaction with the default templates (from
rsyslog.conf):
$ActionFileDefaultTemplate RSYSLOG_FileFormat
$ActionForwardDefaultTemplate RSYSLOG_ForwardFormat
Has anyone seen something like this before and knows what I need to do to
fix this? The go-audit messages in journalctl are the same on a similar
host running syslog-ng, but they don't seem to exhibit the same malformed
behavior, so I'm trying to figure out why this would happen with one but
not the other.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.