[rsyslog] properties not getting filled in correctly

david at lang.hm david at lang.hm
Tue Mar 10 16:21:45 CET 2009 

On Sat, 7 Mar 2009, Rainer Gerhards wrote:

> The messages indeed look ok. I'll feed them into my parser and will see what happens.

any idea what's happening here yet?

David Lang

> rainer
>
> ----- Urspr?ngliche Nachricht -----
> Von: "david at lang.hm" <david at lang.hm>
> An: "rsyslog-users" <rsyslog at lists.adiscon.com>
> Gesendet: 07.03.09 02:20
> Betreff: Re: [rsyslog] properties not getting filled in correctly
>
> On Fri, 6 Mar 2009, Rainer Gerhards wrote:
>
>> That's why I am after the log samples :) I just termed a new acronym
>> this afternoon:
>> YAMSF - yet another malformed syslog format ;)
>>
>> http://blog.gerhards.net/2009/02/calling-for-log-samples.html
>>
>> I try hard to get the fields right, but often this is impossible,
>> resulting in the issues you see.
>
> these logs come from several different servers, including different OSs, 
> but all are misparsed by rsyslog.
>
> I am not seeing anything obviously wrong with them
>
> <167>Mar  6 16:57:54 172.20.245.8 %PIX-7-710005: UDP request discarded from SERVER1/2741 to test_app:255.255.255.255/61601 
> <29>Mar  6 16:57:54 methane1d-b plug-gw[25213]: connect host= /192.168.243.37 destination=179.50.100.130/60029 
> <29>Mar  6 16:57:54 methane1a-b plug-gw[29368]: disconnect host= /192.168.242.119 destination=179.50.100.52/14733 in=357 out=71 duration=1 
> <29>Mar  6 16:57:54 happy1-b plug-gw[30259]: connect host= /192.168.22.8 destination=192.168.104.31/5667 
> <22>Mar  6 16:57:54 192.168.242.66 sendmail[13328]: n270vrSH013326: to=<blah at HOTMAIL.COM>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=37052, relay=mx1.hotmail.com. [65.54.244.8], dsn=2.0.0, stat=Sent ( <200903070057.n270vrL174106 at w31.diginsite.com> Queued mail for delivery) 
> <29>Mar  6 16:57:54 corpmail1-p netacl[3839]: permit host= /10.201.7.120 service=telnetd execute=/usr/local/etc/tn-gw
>
> David Lang
>
>> Rainer
>>
>>> -----Original Message-----
>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>> bounces at lists.adiscon.com] On Behalf Of david at lang.hm
>>> Sent: Friday, March 06, 2009 7:54 PM
>>> To: rsyslog-users
>>> Subject: Re: [rsyslog] properties not getting filled in correctly
>>>
>>> On Fri, 6 Mar 2009, david at lang.hm wrote:
>>>
>>>> I'm running into problems trying to do filtering. it looks as if the
>>> log
>>>> parsing is not properly filling in the properties.
>>>>
>>>> what I've run into so far
>>>>
>>>> when I use the property 'programname' the content that I see is what
>>> I would
>>>> expect in 'hostname'
>>>>
>>>> when I use the property 'hostname' the content that I see is what I
>>> would
>>>> expect in 'fromhost'
>>>>
>>>> I haven't checked all the other properties, but my guess is that
>>> somehow
>>>> rsyslog is off-by-one in filling them in.
>>>
>>> having said this, date, fromhost, and from-ip appear to be filled in
>>> correctly.
>>>
>>> David Lang
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

More information about the rsyslog mailing list