Hi,
the LF seems to be not missing:
0x0540: 4e6b 4a54 5a57 7836 4d6d 5934 6130 4933 NkJTZWx6MmY4a0I3
0x0550: 6454 6478 556d 6734 546b 4a6f 4b32 704a dTdxUmg4TkJoK2pJ
0x0560: 51*0a* 3c31 333e 3120 3230 3230 2d30 Q.<13>1.2020-0
13:19:34.689926 IP 10.x.y.z.49938 > 10.a.b.c.2514: Flags [.], seq
5404:6742, ack 1, win 502, options [nop,nop,TS val 2066170096 ecr
1503586084], length 1338
0x0000: 4500 056e 1f64 4000 3c06 d2b2 0a67 1982 E..n.d@.<....g..
0x0010: 0a01 198a c312 09d2 f6f5 ddac 769b fcaf ............v...
0x0020: 8010 01f6 6d15 0000 0101 080a 7b27 40f0 ....m.......{'@.
0x0030: 599e e724 392d 3033 5431 333a 3139 3a33 Y..$9-03T13:19:3
0x0040: 342e 3638 3532 3535 2b30 303a 3030 2068 4.685255+00:00.h
What else to check?
Peter
On Fri, Sep 18, 2020 at 10:03 AM Rainer Gerhards <rgerhards@hq.adiscon.com>
wrote:
> mhhh... when rsyslog forwards, it should add an \n AFTER the message.
> Can you check what is outgoing (e.g. via Wireshark)? If the LF is
> missing, can you post the client's config (and maybe a debug log)?
>
> Rainer
>
> El vie., 18 sept. 2020 a las 9:56, Peter Viskup
> (<skupko.sk@gmail.com>) escribió:
> >
> > Hi Rainer,
> > confirm it is related to messages not having LF on the end.
> > Problem is reported on the second syslog relay. It is caused by messages
> being split on the first row relay due to exceeding size limit. The first
> part of the splitted message is not terminated with LF. Both relays use the
> same size limit for received messages, therefore all the messages reported
> on relay2 start with <PRI>.
> >
> > Is there any possibility to let rsyslog add the LF on the end of the
> message once splitted?
> > Thank you.
> >
> > --
> > Peter
> >
> > On Tue, Sep 8, 2020 at 10:07 AM Rainer Gerhards <
> rgerhards@hq.adiscon.com> wrote:
> >>
> >> This smells like incorrect framing (no LF at end of message).
> >>
> >> Rainer
> >>
> >> El mar., 8 sept. 2020 a las 9:48, Peter Viskup via rsyslog
> >> (<rsyslog@lists.adiscon.com>) escribió:
> >> >
> >> > Getting following strange messages on our syslog servers:
> >> >
> >> >
> >> > Sep 8 06:02:03 syslog01 rsyslogd: imptcp bo-t: message received is at
> >> > least 2001 byte larger than max msg size; message will be split
> starting
> >> > at: " <13>1 2020-09-08T06:02:03.25764" [v8.1901.0]
> >> >
> >> >
> >> > Not getting them all the time.
> >> >
> >> > Any idea what could be causing this?
> >> >
> >> > Thank you.
> >> >
> >> >
> >> > --
> >> >
> >> > Peter
> >> > _______________________________________________
> >> > rsyslog mailing list
> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > http://www.rsyslog.com/professional-services/
> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow
https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.