[rsyslog-notify] Forum Thread: BlueCoat and Rsyslog:delimiter is not SP but has ASCII value - (Mode 'post')

Wed Apr 16 09:04:41 CEST 2014

User: sburgener 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24541#p24541

Message: 
----------
Hi at All

We are using rsyslog to connect Syslog-Messages from different Systems over
UDP and TCP. Most of the Services are working without Problems, but there
is one (BlueCoat ProxySG), which does not work as expected:

[code:3bfumr1x]
Apr 16 07:19:15 <server> rsyslogd: Framing Error in received
TCP message: delimiter is not SP but has ASCII value 46.
Apr 16 07:19:15 <server> rsyslogd: Framing Error in received
TCP message: delimiter is not SP but has ASCII value 41.
Apr 16 07:19:15 <server> rsyslogd: Framing Error in received
TCP message: delimiter is not SP but has ASCII value 45.
Apr 16 07:19:15 <server> rsyslogd: received oversize
message: size is 393301022 bytes, max msg size is 2048,
truncating...
Apr 16 07:20:00 <server> rsyslogd: Uncompression of a message
failed with return code -3 - 
[/code:3bfumr1x]

Our test-config looks like this

[code:3bfumr1x]
# rsyslog v5 configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see
http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g.
via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by
rklogd)
#$ModLoad immark  # provides --MARK-- message capability
$ModLoad imudp    # Provides UDP syslog reception
$ModLoad imtcp    # Provides TCP syslog reception

#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is
usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

$EscapeControlCharactersOnReceive off

$MaxMessageSize 64k

#### TEMPLATES ####

# log every host in its own directory
$template
RemoteHost,"/var/log/syslog/%fromhost%/%syslogfacility-text%.log"

#### RULES ####

# Local Logging
$RuleSet local
kern.*                                                                 
 /var/log/messages
*.info;mail.none;authpriv.none;cron.none             
/var/log/messages
authpriv.*                                                            
/var/log/secure
mail.*                                                                 
-/var/log/maillog
cron.*                                                                 
 /var/log/cron
*.emerg                                                               
*
uucp,news.crit                                                     
/var/log/spooler
local7.*                                                               
/var/log/boot.log

# use the local RuleSet as default if not specified otherwise
$DefaultRuleset local

# Remote Logging
$RuleSet remote
*.info;mail.none;authpriv.none;cron.none           
?RemoteHost
authpriv.*                                                          
?RemoteHost
mail.*                                                                
?RemoteHost
cron.*                                                                
?RemoteHost
uucp,news.crit                                                   
?RemoteHost
local6.*                                                              
?RemoteHost
local7.*                                                              
?RemoteHost
user.*                                                                
?RemoteHost

### Listeners
# bind ruleset to tcp/udp listener

$InputTCPServerBindRuleset remote
$InputTCPServerRun 514

$InputUDPServerBindRuleset remote
$UDPServerRun 514

[/code:3bfumr1x]

Is there a way to fix this? Any help would be great as we could not fix
that ourself.

Best regards