[rsyslog] more 5.1.3 errors (fwd)

david at lang.hm david at lang.hm
Thu Aug 20 11:51:04 CEST 2009


On Thu, 20 Aug 2009, Rainer Gerhards wrote:

> David,
>
> some more comments...
>
>> <175>Aug  1 00:39:22 172.20.254.6 ^A
>> MSWinEventLog^I1^ISecurity^I343780121^IFri
>> Jul 31 18:20:25 2009^I538^ISecurity^Idataman^IUser^ISuccess
>> Audit^IOPSMON01^ILogon/Logoff^I^Idataman^I343777243
>>
>> 192.168.210.245 172.20.254.6 ^A
>
> provided that 192.168.210.245 is the correct sender address as seen by the
> receiver (NAT?), this message looks good (^A actually is the tag, even though
> the sender has probably not intended it to be a tag...)

yes it is.

in retrospect I should have only shown bad messages. unfortunantly I just 
did a tail of all of the files, checked that they included errors and sent 
them all.

part of my reasoning was to show that I can't see any difference between 
messages that work and ones that don't.

>>
>>
>>
>> an example of the second problem is log entries like this
>>
>> <29>Jul 31 21:33:39 methane1d-b plug-gw[13212]: connect host=
>> /192.168.243.38
>> destination=179.50.100.130/11074
>>
>> 192.168.210.245 192.168.210.245 methane1d-b
>>
>>
>> the problem is that the log file on the .245 box (which log *.* to
>> messages)
>> don't show anything like this, and the methane1d-b box doesn't have any
>> networks in common with the .245 box
>
> I don't get any grip on this. Would it be possible to provide (privately)
> debug log files for this processing? I have really a hard time figuring out
> what's going on there, and I am not sure if some unprintable characters are
> part of the picture. Only the debug log will show me that...

I will see what I can do. I'm home sick for the rest of the week, so I 
don't know how much I'll be able to test anything.

David Lang



More information about the rsyslog mailing list