[rsyslog] more 5.1.3 errors

david at lang.hm david at lang.hm
Sat Aug 1 06:53:57 CEST 2009


I have the following in the config file

$template raw,"%rawmsg%\n%fromhost% %hostname% %syslogtag%\n\n\n"
if $fromhost == '192.168.210.216' then /var/log/scribe1a-p;raw
if $fromhost == '192.168.210.217' then /var/log/scribe1a-b;raw
if $fromhost == '192.168.210.219' then /var/log/scribe1b-p;raw
if $fromhost == '192.168.210.220' then /var/log/scribe1b-b;raw
if $fromhost == '192.168.210.222' then /var/log/scribe1c-p;raw
if $fromhost == '192.168.210.223' then /var/log/scribe1c-b;raw
if $fromhost == '192.168.210.245' then /var/log/scribe1d-p;raw


but if I do a tail of these files I get very wierd results

I have some logs in the wrong files, and I have some of them where the 
fromhost in in the hostname (and the hostname is in the syslogtag)

the second error seems fairly consistant with a given source, 
unfortunantly the worst offender is another rsyslog 5.1.3 box.

this first example shows the sceibe1b boxes with the incorrect hostname 
and system tag (scribe1b is the other rsyslog box, the one showing the 
problem)

# tail scribe1*
==> scribe1a-b <==
<22>Jul 31 21:39:21 192.168.242.126 smelter v0.88.5[23535]: n714dL7N010869: unable to open S/MIME certificate '/var/spool/certs/chris.cournoyer at digitalinsight.com'

192.168.210.217 192.168.242.126 smelter


<22>Jul 31 21:39:21 192.168.242.126 smelter v0.88.5[23535]: n714dL7N010869: unable to add rcpt 'chris.cournoyer at digitalinsight.com' :: bad certificate

192.168.210.217 192.168.242.126 smelter



==> scribe1a-p <==
<13>Jul 31 21:39:01 scribe1a-p getprocs: 28 /proc/net/tcp=

192.168.210.216 192.168.210.216 scribe1a-p


<13>Jul 31 21:39:01 scribe1a-p getprocs: 138=9 /usr/sbin/apache=9 sleep 30=2 [pdflush]=2 /bin/bash /usr/local/bin/getprocs=1 [xfs_mru_cache]=1 [xfslogd/3]=1 [xfslogd/2]=1 [xfslogd/1]=1 [xfslogd/0]=1 [xfsdatad/3]=

192.168.210.216 192.168.210.216 scribe1a-p



==> scribe1b-b <==
<13>Aug  1 04:39:01 scribe1b-b getprocs: 133=9 sleep 30=3 /usr/sbin/argus -w /var/log/argus/argus.log -n /var/run/argus.pid=3 /bin/bash /usr/local/bin/getprocs=2 [xfssyncd]=2 [xfsbufd]=2 [xfsaild]=2 [pdflush]=1 uniq -c=1 sort -rn=1 ps ax=

192.168.210.220 192.168.210.220 scribe1b-b


<86>Aug  1 04:39:01 scribe1b-b CRON[21219]: pam_unix(cron:session): session closed for user root

192.168.210.220 192.168.210.220 scribe1b-b



==> scribe1b-p <==

<13>Aug  1 00:40:14 MSWinEventLog\0111\011Applicatio Aug 01 00:39:57 2009\0111008\011Perflib\011Unknown User\011N/A\011Error\011BANKINGPDC1\011None\0110000: 68 10 00 00 78 bf 94 01   ......  \011The Open Procedure for service "PerfDisk" in DLL "C:\WINNT\system32\perfdisk.dll" failed.   Performance data for this service will not be available. Status code   returned is data DWORD 0.  \01120258586192.168.210.219 192.168.210.219 MSWinEventLog\0111\011Applicatio


<29>Jul 31 21:39:21 methane1e-b plug-gw[10538]: disconnect host= /192.168.242.211 destination=179.50.100.127/11282 in=3274 out=1448 duration=0

192.168.210.219 192.168.210.219 methane1e-b



==> scribe1c-b <==

==> scribe1c-p <==
<131>Jul 31 21:39:20 10.202.0.252 auditd: date="Aug  1 04:39:20 2009 GMT",fac=f_wwwproxy,area=a_libproxycommon,type=t_nettraffic,pri=p_major,pid=1013,ruid=0,euid=0,pgid=1013,logid=0,cmd=httpp,domain=htpp,edomain=htpp,hostname=warden1-p.diginsight.com,srcip=10.202.0.252,srcport=23865,srcburb=internal,dstip=10.21.48.30,dstport=80,dstburb=internal,protocol=6,bytes_written_to_client=0,bytes_written_to_server=0,service_name=httpp,status=conn_close,acl_id=Warden__Outbound-DEV-NET,cache_hit=1,request_status=0,start_time="Fri Jul 31 21:38:18 2009",netsessid=4a73c6ba0001d7d3

192.168.210.222 10.202.0.252 auditd:


<131>Jul 31 21:39:20 10.202.0.252 auditd: date="Aug  1 04:39:20 2009 GMT",fac=f_wwwproxy,area=a_libproxycommon,type=t_nettraffic,pri=p_major,pid=1013,ruid=0,euid=0,pgid=1013,logid=0,cmd=httpp,domain=htpp,edomain=htpp,hostname=warden1-p.diginsight.com,srcip=10.202.0.252,srcport=23865,srcburb=internal,dstip=10.21.48.30,dstport=80,dstburb=internal,protocol=6,bytes_written_to_client=0,bytes_written_to_server=0,service_name=httpp,status=conn_close,acl_id=Warden__Outbound-DEV-NET,cache_hit=1,request_status=0,start_time="Fri Jul 31 21:38:18 2009",netsessid=4a73c6ba0001d7d3

192.168.210.222 10.202.0.252 auditd:



==> scribe1d-p <==
<175>Aug  1 00:39:22 172.20.254.6 ^A MSWinEventLog^I1^ISecurity^I343780120^IFri Jul 31 18:20:25 2009^I540^ISecurity^Idataman^IUser^ISuccess Audit^IOPSMON01^ILogon/Logoff^I^Idataman^I343777242

192.168.210.245 172.20.254.6 ^A


<175>Aug  1 00:39:22 172.20.254.6 ^A MSWinEventLog^I1^ISecurity^I343780121^IFri Jul 31 18:20:25 2009^I538^ISecurity^Idataman^IUser^ISuccess Audit^IOPSMON01^ILogon/Logoff^I^Idataman^I343777243

192.168.210.245 172.20.254.6 ^A



an example of the second problem is log entries like this

<29>Jul 31 21:33:39 methane1d-b plug-gw[13212]: connect host= /192.168.243.38 destination=179.50.100.130/11074

192.168.210.245 192.168.210.245 methane1d-b


the problem is that the log file on the .245 box (which log *.* to 
messages) don't show anything like this, and the methane1d-b box doesn't 
have any networks in common with the .245 box



David Lang



More information about the rsyslog mailing list