Mailing List Archive

please log a message with the template RSYSLOG_DebugFormat so we can see the raw
message and how it's parsed.

David Lang

On Mon, 26 Apr 2021, ca--- via rsyslog wrote:

> Date: Mon, 26 Apr 2021 11:07:07 +0900
> From: ca--- via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: ca@a-1.win
> Subject: [rsyslog] messages are truncated after "-"
>
> Hi Experts
>
> I encountered strange behavior that rsyslog truncates message after "-".
> The log message sent from Juniper SRX firewall is like this. (I confirmed it with tcpdump)
>
> 2021-04-23T21:30:00.111.+00:00 SRX-HOSTNAME RT_FLOW - RT_FLOW_SESSION_CREATE [junos@~~~
>
> But on the log file, I only got
>
> Apr 23 21:30:00 SRX-HOSTNAME RT_FLOW
>
>
> I thought wrong templates was applied, so added following
>
> $template srxlog,"%msg%\n"
> :&fromhost-ip, isequal, SRX-IP, /var/log/SRX-HOSTNAME.log
>
> But result was empty lines were logged on the file.
>
> Does anyone help this situation?
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Thank you!!

With RSYSLOG_DebugFormat template, I've got following.

Debug line with all properties:
FROMHOST: '10.x.x.x'
fromhost-ip: '10.x.x.x'
HOSTNAME: 'SRX-Hostname'
PRI: 14,
syslogtag 'RT_FLOW'
programname: 'RT_FLOW'
APP-NAME: 'RT_FLOW'
PROCID: '-'
MSGID: 'RT_FLOW_SESSION_CREATE',
TIMESTAMP: 'Apr 26 11:00:00'
STRUCTURED-DATA: '[junos@2636.1.1.1.2.135 source-address=~(snipped)]',
msg: ''
escaped msg: ''

Applying custom template(below) got a correct logs.
$template srxlog,"%TIMESTAMP% %FROMHOST% %HOSTNAME% %APP-NAME% %MSGID% %STRUCTURED-DATA%\n"


Thank you!

> please log a message with the template RSYSLOG_DebugFormat so we can see the raw
> message and how it's parsed.
>
> David Lang
>
> On Mon, 26 Apr 2021, ca--- via rsyslog wrote:
>
> > Date: Mon, 26 Apr 2021 11:07:07 +0900
> > From: ca--- via rsyslog <rsyslog@lists.adiscon.com>
> > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > Cc: ca@a-1.win
> > Subject: [rsyslog] messages are truncated after "-"
> >
> > Hi Experts
> >
> > I encountered strange behavior that rsyslog truncates message after "-".
> > The log message sent from Juniper SRX firewall is like this. (I confirmed it with tcpdump)
> >
> > 2021-04-23T21:30:00.111.+00:00 SRX-HOSTNAME RT_FLOW - RT_FLOW_SESSION_CREATE [junos@~~~
> >
> > But on the log file, I only got
> >
> > Apr 23 21:30:00 SRX-HOSTNAME RT_FLOW
> >
> >
> > I thought wrong templates was applied, so added following
> >
> > $template srxlog,"%msg%\n"
> > :&fromhost-ip, isequal, SRX-IP, /var/log/SRX-HOSTNAME.log
> >
> > But result was empty lines were logged on the file.
> >
> > Does anyone help this situation?
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> >
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

you cut out the parts that we need to see to understand what's happening.

we need the rawmsg field that you trimmed off.

David Lang

On Mon, 26 Apr 2021, ca@a-1.win wrote:

> Date: Mon, 26 Apr 2021 16:49:06 +0900
> From: ca@a-1.win
> To: David Lang <david@lang.hm>
> Cc: ca--- via rsyslog <rsyslog@lists.adiscon.com>, ca@a-1.win
> Subject: Re: Re: [rsyslog] messages are truncated after "-"
>
> Thank you!!
>
> With RSYSLOG_DebugFormat template, I've got following.
>
> Debug line with all properties:
> FROMHOST: '10.x.x.x'
> fromhost-ip: '10.x.x.x'
> HOSTNAME: 'SRX-Hostname'
> PRI: 14,
> syslogtag 'RT_FLOW'
> programname: 'RT_FLOW'
> APP-NAME: 'RT_FLOW'
> PROCID: '-'
> MSGID: 'RT_FLOW_SESSION_CREATE',
> TIMESTAMP: 'Apr 26 11:00:00'
> STRUCTURED-DATA: '[junos@2636.1.1.1.2.135 source-address=~(snipped)]',
> msg: ''
> escaped msg: ''
>
> Applying custom template(below) got a correct logs.
> $template srxlog,"%TIMESTAMP% %FROMHOST% %HOSTNAME% %APP-NAME% %MSGID% %STRUCTURED-DATA%\n"
>
>
> Thank you!
>
>> please log a message with the template RSYSLOG_DebugFormat so we can see the raw
>> message and how it's parsed.
>>
>> David Lang
>>
>> On Mon, 26 Apr 2021, ca--- via rsyslog wrote:
>>
>>> Date: Mon, 26 Apr 2021 11:07:07 +0900
>>> From: ca--- via rsyslog <rsyslog@lists.adiscon.com>
>>> To: rsyslog-users <rsyslog@lists.adiscon.com>
>>> Cc: ca@a-1.win
>>> Subject: [rsyslog] messages are truncated after "-"
>>>
>>> Hi Experts
>>>
>>> I encountered strange behavior that rsyslog truncates message after "-".
>>> The log message sent from Juniper SRX firewall is like this. (I confirmed it with tcpdump)
>>>
>>> 2021-04-23T21:30:00.111.+00:00 SRX-HOSTNAME RT_FLOW - RT_FLOW_SESSION_CREATE [junos@~~~
>>>
>>> But on the log file, I only got
>>>
>>> Apr 23 21:30:00 SRX-HOSTNAME RT_FLOW
>>>
>>>
>>> I thought wrong templates was applied, so added following
>>>
>>> $template srxlog,"%msg%\n"
>>> :&fromhost-ip, isequal, SRX-IP, /var/log/SRX-HOSTNAME.log
>>>
>>> But result was empty lines were logged on the file.
>>>
>>> Does anyone help this situation?
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>>>
>>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

sorry for late reply. rawmsg was like this.

rawmsg: '<14>1 2021-04-26T11:26:31.523+08:00 SRX340-01 RT_FLOW - RT_FLOW_SESSION_CREATE [.junos@2636.1.1.1.2.135 source-address="10.x.x.x" source-port="50721" destination-address="202.x.x.x" destination-port="443" connection-tag="0" service-name="junos-https" nat-source-address="x.x.x.x" nat-source-port="57037" nat-destination-address="202.x.x.x" nat-destination-port="443" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="source-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="trust-to-untrust" source-zone-name="trust" destination-zone-name="untrust" session-id-32="175626" username="N/A" roles="N/A" packet-incoming-interface="reth1.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" src-vrf-grp="N/A" dst-vrf-grp="N/A"]'


> you cut out the parts that we need to see to understand what's happening.
>
> we need the rawmsg field that you trimmed off.
>
> David Lang
>
> On Mon, 26 Apr 2021, ca@a-1.win wrote:
>
> > Date: Mon, 26 Apr 2021 16:49:06 +0900
> > From: ca@a-1.win
> > To: David Lang <david@lang.hm>
> > Cc: ca--- via rsyslog <rsyslog@lists.adiscon.com>, ca@a-1.win
> > Subject: Re: Re: [rsyslog] messages are truncated after "-"
> >
> > Thank you!!
> >
> > With RSYSLOG_DebugFormat template, I've got following.
> >
> > Debug line with all properties:
> > FROMHOST: '10.x.x.x'
> > fromhost-ip: '10.x.x.x'
> > HOSTNAME: 'SRX-Hostname'
> > PRI: 14,
> > syslogtag 'RT_FLOW'
> > programname: 'RT_FLOW'
> > APP-NAME: 'RT_FLOW'
> > PROCID: '-'
> > MSGID: 'RT_FLOW_SESSION_CREATE',
> > TIMESTAMP: 'Apr 26 11:00:00'
> > STRUCTURED-DATA: '[junos@2636.1.1.1.2.135 source-address=~(snipped)]',
> > msg: ''
> > escaped msg: ''
> >
> > Applying custom template(below) got a correct logs.
> > $template srxlog,"%TIMESTAMP% %FROMHOST% %HOSTNAME% %APP-NAME% %MSGID% %STRUCTURED-DATA%\n"
> >
> >
> > Thank you!
> >
> >> please log a message with the template RSYSLOG_DebugFormat so we can see the raw
> >> message and how it's parsed.
> >>
> >> David Lang
> >>
> >> On Mon, 26 Apr 2021, ca--- via rsyslog wrote:
> >>
> >>> Date: Mon, 26 Apr 2021 11:07:07 +0900
> >>> From: ca--- via rsyslog <rsyslog@lists.adiscon.com>
> >>> To: rsyslog-users <rsyslog@lists.adiscon.com>
> >>> Cc: ca@a-1.win
> >>> Subject: [rsyslog] messages are truncated after "-"
> >>>
> >>> Hi Experts
> >>>
> >>> I encountered strange behavior that rsyslog truncates message after "-".
> >>> The log message sent from Juniper SRX firewall is like this. (I confirmed it with tcpdump)
> >>>
> >>> 2021-04-23T21:30:00.111.+00:00 SRX-HOSTNAME RT_FLOW - RT_FLOW_SESSION_CREATE [junos@~~~
> >>>
> >>> But on the log file, I only got
> >>>
> >>> Apr 23 21:30:00 SRX-HOSTNAME RT_FLOW
> >>>
> >>>
> >>> I thought wrong templates was applied, so added following
> >>>
> >>> $template srxlog,"%msg%\n"
> >>> :&fromhost-ip, isequal, SRX-IP, /var/log/SRX-HOSTNAME.log
> >>>
> >>> But result was empty lines were logged on the file.
> >>>
> >>> Does anyone help this situation?
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> >>>
> >>
> >
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.