[Lognorm] Log normalization and the leading space
Davor Saric
davor.saric at srce.hr
Fri Apr 4 15:08:48 CEST 2014
On 04.04.2014 14:43, Rainer Gerhards wrote:
> I am CC'ing the rsyslog mailing list as the issue is more related the
> rsyslog and syslog in general. I suggest to subscribe in order to
> receive follow-ups.
Subscribed :)
> I think the problem you see is based on the fact that RFC3164 - which is
> used to parse these types of messages - specifies that everything after
> the TAG is the message. Usually, messages have "TAG: mm", note the space
> before mm. This is where it stems from.
"sensitive information replaced"
Ok, on client with rsyslog v5 imfile writes to local5 and here is the
line in local5.log:
Mar 25 13:28:10 hostname apache-access: 123.456.789.000 - -
[25/Mar/2014:12:40:29 +0100]...
On server with rsyslog v7, his own apache logs with imfile are writen to
local5 and the line is:
Apr 4 14:48:51 central apache-access: 111.222.333.444 - -
[04/Apr/2014:14:48:50 +0200]...
You can see that space is present in both log. But when writing rules
and templates, somehow the central rsyslog registers a space in msg
property from this incoming logs but does not take space from msg
property when reading local logs witch are fetched with imfile...
Btw clients are CentOS 6 and Debian 7 with rsyslog v5 and central
rsyslog is Centos 6 with rsyslog v7 stable...
> In regard to lognorm rules, you can simply duplicate the entries with
> and without a space in front. It's a bit ugly, but a work-around you can
> use right now.
If this is normal and is not a bug I allready have two rules and
templates, one for incoming logs and one for central server local apache
logs so I have a workaround :)
With regards,
Davor Saric
More information about the Lognorm
mailing list