Mailing List Archive

Garbled logfile names from forwarded logs
I have a central logger (several of them) setup where multiple servers are
forwarding logs and am receiving unintelligible log names on the collector.

It appears the name of each file is parsed incorrectly. Here is an example:

-rw------- 1 root root 151 Feb 1 11:00 x64;.log
-rw------- 1 root root 104 Feb 1 11:00 utions.com_10514].log
-rw------- 1 root root 458 Feb 1 11:16
_ID="_d7b4a97eccdad22d3f8e69f01a28a9553bf97ef83e".log
-rw------- 1 root root 710 Feb 1 11:16 REASON="N.log
-rw------- 1 root root 384 Feb 1 11:17 com".log
-rw------- 1 root root 1382 Feb 1 11:17
ONID=_d7b4a97eccdad22d3f8e69f01a28a9553bf97ef83e.log

Can anyone provide some guidance on how I clean up these names and make
them useful?

thanks,

*Scott Slattery*

--


*For more information on how and why we collect your personal
information, please visit our Privacy Policy
<https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Garbled logfile names from forwarded logs [ In reply to ]
It depends a bit on your template. I assume that you use the hostname
property. This is populated by the syslog header HOSTNAME field.
Unfortunately many tools do not populate it properly (many even do not
create a valid header at all).

If there are no relays involved, you could instead use fromhost or
fromhost-ip property, which is the last hop we received the message
from. That goes back to IP header and DNS hostname resolution and as
such is valid (for names it is valid if the reverse resolution is
configured correctly).

HTH
Rainer

El mar, 2 feb 2021 a las 18:35, Scott Slattery via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> I have a central logger (several of them) setup where multiple servers are
> forwarding logs and am receiving unintelligible log names on the collector.
>
> It appears the name of each file is parsed incorrectly. Here is an example:
>
> -rw------- 1 root root 151 Feb 1 11:00 x64;.log
> -rw------- 1 root root 104 Feb 1 11:00 utions.com_10514].log
> -rw------- 1 root root 458 Feb 1 11:16
> _ID="_d7b4a97eccdad22d3f8e69f01a28a9553bf97ef83e".log
> -rw------- 1 root root 710 Feb 1 11:16 REASON="N.log
> -rw------- 1 root root 384 Feb 1 11:17 com".log
> -rw------- 1 root root 1382 Feb 1 11:17
> ONID=_d7b4a97eccdad22d3f8e69f01a28a9553bf97ef83e.log
>
> Can anyone provide some guidance on how I clean up these names and make
> them useful?
>
> thanks,
>
> *Scott Slattery*
>
> --
>
>
> *For more information on how and why we collect your personal
> information, please visit our Privacy Policy
> <https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Garbled logfile names from forwarded logs [ In reply to ]
hanks Gerhards - can I apply a different template only to these servers
that are problematic only? All other servers where logs are collected from
are working fine and I don't want to disrupt or change their template.

*Scott Slattery*

*Sr. Systems & Cloud Architect*

*Cloud, Compute, Information & Architecture Team*

motorolasolutions.com

*O: 602.529.8226*

*E*: Scott.Slattery@MotorolaSolutions.com




On Wed, Feb 3, 2021 at 1:56 AM Rainer Gerhards <rgerhards@hq.adiscon.com>
wrote:

> It depends a bit on your template. I assume that you use the hostname
> property. This is populated by the syslog header HOSTNAME field.
> Unfortunately many tools do not populate it properly (many even do not
> create a valid header at all).
>
> If there are no relays involved, you could instead use fromhost or
> fromhost-ip property, which is the last hop we received the message
> from. That goes back to IP header and DNS hostname resolution and as
> such is valid (for names it is valid if the reverse resolution is
> configured correctly).
>
> HTH
> Rainer
>
> El mar, 2 feb 2021 a las 18:35, Scott Slattery via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
> >
> > I have a central logger (several of them) setup where multiple servers
> are
> > forwarding logs and am receiving unintelligible log names on the
> collector.
> >
> > It appears the name of each file is parsed incorrectly. Here is an
> example:
> >
> > -rw------- 1 root root 151 Feb 1 11:00 x64;.log
> > -rw------- 1 root root 104 Feb 1 11:00 utions.com_10514].log
> > -rw------- 1 root root 458 Feb 1 11:16
> > _ID="_d7b4a97eccdad22d3f8e69f01a28a9553bf97ef83e".log
> > -rw------- 1 root root 710 Feb 1 11:16 REASON="N.log
> > -rw------- 1 root root 384 Feb 1 11:17 com".log
> > -rw------- 1 root root 1382 Feb 1 11:17
> > ONID=_d7b4a97eccdad22d3f8e69f01a28a9553bf97ef83e.log
> >
> > Can anyone provide some guidance on how I clean up these names and make
> > them useful?
> >
> > thanks,
> >
> > *Scott Slattery*
> >
> > --
> >
> >
> > *For more information on how and why we collect your personal
> > information, please visit our Privacy Policy
> > <
> https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement
> >.*
> > _______________________________________________
> > rsyslog mailing list
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.adiscon.net_mailman_listinfo_rsyslog&d=DwIFaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=9VZN8jOeh6Wq3zsBr6Mr_GSxmEpodGbXQ2UxP3oRpciBnWp1cJKyh3iyX6xKS_Zd&m=2xCkQaEs2lhGIDgQ8WH23vj3WHgyVMJ_MCDH54fqDUs&s=_cxStH12vkRL_bKHmoTVtC6fBmMWaHczhbr7EIvnzpE&e=
> >
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_professional-2Dservices_&d=DwIFaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=9VZN8jOeh6Wq3zsBr6Mr_GSxmEpodGbXQ2UxP3oRpciBnWp1cJKyh3iyX6xKS_Zd&m=2xCkQaEs2lhGIDgQ8WH23vj3WHgyVMJ_MCDH54fqDUs&s=xzOVMRGTmON16goIfkmh37Hs06t6oHEr8FjPhQ8vvgY&e=
> > What's up with rsyslog? Follow
> https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rgerhards&d=DwIFaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=9VZN8jOeh6Wq3zsBr6Mr_GSxmEpodGbXQ2UxP3oRpciBnWp1cJKyh3iyX6xKS_Zd&m=2xCkQaEs2lhGIDgQ8WH23vj3WHgyVMJ_MCDH54fqDUs&s=8-bSvDEJwO6AAJvK-nSFivL6HtFwDm2hd3r_98eSJFM&e=
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>

--


*For more information on how and why we collect your personal
information, please visit our Privacy Policy
<https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.