[rsyslog] more 5.1.3 errors (fwd)

Rainer Gerhards rgerhards at hq.adiscon.com
Thu Aug 20 11:06:42 CEST 2009 

David, not analysed (note even read) the mail in detail, but shouldn't you
query fromhost-ip instead of fromhost?

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of david at lang.hm
> Sent: Thursday, August 20, 2009 11:05 AM
> To: rsyslog-users
> Subject: [rsyslog] more 5.1.3 errors (fwd)
> 
> re-sending
> 
> ---------- Forwarded message ----------
> Date: Fri, 31 Jul 2009 21:53:57 -0700 (PDT)
> From: david at lang.hm
> To: rsyslog-users <rsyslog at lists.adiscon.com>
> Subject: more 5.1.3 errors
> 
> I have the following in the config file
> 
> $template raw,"%rawmsg%\n%fromhost% %hostname% %syslogtag%\n\n\n"
> if $fromhost == '192.168.210.216' then /var/log/scribe1a-p;raw
> if $fromhost == '192.168.210.217' then /var/log/scribe1a-b;raw
> if $fromhost == '192.168.210.219' then /var/log/scribe1b-p;raw
> if $fromhost == '192.168.210.220' then /var/log/scribe1b-b;raw
> if $fromhost == '192.168.210.222' then /var/log/scribe1c-p;raw
> if $fromhost == '192.168.210.223' then /var/log/scribe1c-b;raw
> if $fromhost == '192.168.210.245' then /var/log/scribe1d-p;raw
> 
> 
> but if I do a tail of these files I get very wierd results
> 
> I have some logs in the wrong files, and I have some of them where the
> fromhost
> in in the hostname (and the hostname is in the syslogtag)
> 
> the second error seems fairly consistant with a given source,
> unfortunantly the
> worst offender is another rsyslog 5.1.3 box.
> 
> this first example shows the sceibe1b boxes with the incorrect hostname
> and
> system tag (scribe1b is the other rsyslog box, the one showing the
> problem)
> 
> # tail scribe1*
> ==> scribe1a-b <==
> <22>Jul 31 21:39:21 192.168.242.126 smelter v0.88.5[23535]:
> n714dL7N010869:
> unable to open S/MIME certificate
> '/var/spool/certs/chris.cournoyer at digitalinsight.com'
> 
> 192.168.210.217 192.168.242.126 smelter
> 
> 
> <22>Jul 31 21:39:21 192.168.242.126 smelter v0.88.5[23535]:
> n714dL7N010869:
> unable to add rcpt 'chris.cournoyer at digitalinsight.com' :: bad
> certificate
> 
> 192.168.210.217 192.168.242.126 smelter
> 
> 
> 
> ==> scribe1a-p <==
> <13>Jul 31 21:39:01 scribe1a-p getprocs: 28 /proc/net/tcp=
> 
> 192.168.210.216 192.168.210.216 scribe1a-p
> 
> 
> <13>Jul 31 21:39:01 scribe1a-p getprocs: 138=9 /usr/sbin/apache=9 sleep
> 30=2
> [pdflush]=2 /bin/bash /usr/local/bin/getprocs=1 [xfs_mru_cache]=1
> [xfslogd/3]=1
> [xfslogd/2]=1 [xfslogd/1]=1 [xfslogd/0]=1 [xfsdatad/3]=
> 
> 192.168.210.216 192.168.210.216 scribe1a-p
> 
> 
> 
> ==> scribe1b-b <==
> <13>Aug  1 04:39:01 scribe1b-b getprocs: 133=9 sleep 30=3
> /usr/sbin/argus -w
> /var/log/argus/argus.log -n /var/run/argus.pid=3 /bin/bash
> /usr/local/bin/getprocs=2 [xfssyncd]=2 [xfsbufd]=2 [xfsaild]=2
> [pdflush]=1 uniq
> -c=1 sort -rn=1 ps ax=
> 
> 192.168.210.220 192.168.210.220 scribe1b-b
> 
> 
> <86>Aug  1 04:39:01 scribe1b-b CRON[21219]: pam_unix(cron:session):
> session
> closed for user root
> 
> 192.168.210.220 192.168.210.220 scribe1b-b
> 
> 
> 
> ==> scribe1b-p <==
> 
> <13>Aug  1 00:40:14 MSWinEventLog\0111\011Applicatio Aug 01 00:39:57
> 2009\0111008\011Perflib\011Unknown
> User\011N/A\011Error\011BANKINGPDC1\011None\0110000: 68 10 00 00 78 bf
> 94 01
> ......  \011The Open Procedure for service "PerfDisk" in DLL
> "C:\WINNT\system32\perfdisk.dll" failed.   Performance data for this
> service
> will not be available. Status code   returned is data DWORD 0.
> \01120258586192.168.210.219 192.168.210.219
> MSWinEventLog\0111\011Applicatio
> 
> 
> <29>Jul 31 21:39:21 methane1e-b plug-gw[10538]: disconnect host=
> /192.168.242.211 destination=179.50.100.127/11282 in=3274 out=1448
> duration=0
> 
> 192.168.210.219 192.168.210.219 methane1e-b
> 
> 
> 
> ==> scribe1c-b <==
> 
> ==> scribe1c-p <==
> <131>Jul 31 21:39:20 10.202.0.252 auditd: date="Aug  1 04:39:20 2009
> GMT",fac=f_wwwproxy,area=a_libproxycommon,type=t_nettraffic,pri=p_major
> ,pid=1013,ruid=0,euid=0,pgid=1013,logid=0,cmd=httpp,domain=htpp,edomain
> =htpp,hostname=warden1-
> p.diginsight.com,srcip=10.202.0.252,srcport=23865,srcburb=internal,dsti
> p=10.21.48.30,dstport=80,dstburb=internal,protocol=6,bytes_written_to_c
> lient=0,bytes_written_to_server=0,service_name=httpp,status=conn_close,
> acl_id=Warden__Outbound-DEV-
> NET,cache_hit=1,request_status=0,start_time="Fri
> Jul 31 21:38:18 2009",netsessid=4a73c6ba0001d7d3
> 
> 192.168.210.222 10.202.0.252 auditd:
> 
> 
> <131>Jul 31 21:39:20 10.202.0.252 auditd: date="Aug  1 04:39:20 2009
> GMT",fac=f_wwwproxy,area=a_libproxycommon,type=t_nettraffic,pri=p_major
> ,pid=1013,ruid=0,euid=0,pgid=1013,logid=0,cmd=httpp,domain=htpp,edomain
> =htpp,hostname=warden1-
> p.diginsight.com,srcip=10.202.0.252,srcport=23865,srcburb=internal,dsti
> p=10.21.48.30,dstport=80,dstburb=internal,protocol=6,bytes_written_to_c
> lient=0,bytes_written_to_server=0,service_name=httpp,status=conn_close,
> acl_id=Warden__Outbound-DEV-
> NET,cache_hit=1,request_status=0,start_time="Fri
> Jul 31 21:38:18 2009",netsessid=4a73c6ba0001d7d3
> 
> 192.168.210.222 10.202.0.252 auditd:
> 
> 
> 
> ==> scribe1d-p <==
> <175>Aug  1 00:39:22 172.20.254.6 ^A
> MSWinEventLog^I1^ISecurity^I343780120^IFri
> Jul 31 18:20:25 2009^I540^ISecurity^Idataman^IUser^ISuccess
> Audit^IOPSMON01^ILogon/Logoff^I^Idataman^I343777242
> 
> 192.168.210.245 172.20.254.6 ^A
> 
> 
> <175>Aug  1 00:39:22 172.20.254.6 ^A
> MSWinEventLog^I1^ISecurity^I343780121^IFri
> Jul 31 18:20:25 2009^I538^ISecurity^Idataman^IUser^ISuccess
> Audit^IOPSMON01^ILogon/Logoff^I^Idataman^I343777243
> 
> 192.168.210.245 172.20.254.6 ^A
> 
> 
> 
> an example of the second problem is log entries like this
> 
> <29>Jul 31 21:33:39 methane1d-b plug-gw[13212]: connect host=
> /192.168.243.38
> destination=179.50.100.130/11074
> 
> 192.168.210.245 192.168.210.245 methane1d-b
> 
> 
> the problem is that the log file on the .245 box (which log *.* to
> messages)
> don't show anything like this, and the methane1d-b box doesn't have any
> networks in common with the .245 box
> 
> 
> 
> David Lang
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

More information about the rsyslog mailing list