[rsyslog] Weird problems when combining rsyslog 3 and 4
Rainer Gerhards
rgerhards at hq.adiscon.com
Fri Mar 27 22:38:06 CET 2009
These samples are enough, no need to disclose more. Single lines are sufficient, as long as they can repro the problem :)
rainer
----- Ursprüngliche Nachricht -----
Von: "Luis Fernando Muñoz Mejías" <Luis.Fernando.Munoz.Mejias at cern.ch>
An: "rsyslog-users" <rsyslog at lists.adiscon.com>
Gesendet: 27.03.09 19:23
Betreff: Re: [rsyslog] Weird problems when combining rsyslog 3 and 4
Rainer,
> Can you send me an on-the-wire sample of those messages (I mean that are
> invalidly interpreted). I have now created the parser test suite and they
> would make a good addition, especially as I need to troubleshoot them ;)
>
> Rainer
Before disclosing enough data I have to ask for permission. I can tell
you that the last hop in this relay chain is using rsyslog v3, and that
the format I got (tcpdump dixit) for these messages is always like this:
<38>Mar 27 19:06:53 source_server sshd(pam_unix)[12750]: session opened
for user foo by (uid=0)
And what gets actually logged for that is:
2009-03-27T19:06:53+01:00 last_hop_server source_server
sshd(pam_unix)[12750]: session opened for user foo by (uid=0)
Then, last_hop_server becomes %hostname% and source_server becomes
%syslogtag%.
This last hop server is using rsyslog v3, so it seems to me I have to
instruct v4 that the input is coming in a non-default format.
Cheers.
--
Luis Fernando Muñoz Mejías
Luis.Fernando.Munoz.Mejias at cern.ch
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
More information about the rsyslog
mailing list