[rsyslog-notify] Forum Thread: v7.4.9 - Config Help/Complete Documentation - (Mode 'post')
noreply at adiscon.com
noreply at adiscon.com
Thu Feb 6 19:22:13 CET 2014
User: tonyd
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24190#p24190
Message:
----------
Hello,
I am having a great deal of difficulty getting rsyslog configured (outside
of the vanilla config on a new install). When I attempt to find concise
and complete documentation on the rsyslog.com website, I instead find bits
and pieces with no real coherency. I understand rsyslog is quite powerful
and as such, many of the Linux distros are adopting it as the default.
However, they too are not providing any meaningful documentation. Or am I
missing the link? Please forgive my frustration, but am quite so. One
really should not have to fight with it's logging....
I have 50 servers in my datacenter running FreeBSD/CentOS/Ubuntu. Most
have legacy syslogd or syslog-ng. The newer servers are using rsyslog.
I am attempting to migrate many servers services to Virtual Machines and
restructure my centralized logging. Ultimately using something like
Logstash/Elastisearch/Kibana for log visualization and analysis. I've
rolled my own log file(s) tailer and filtering using RoR for my Tech
Support Department.
I have a simple example which I cannot get to work and am unable to find
"documentation" to clear up what I may be doing wrong. Perhaps someone
would correct me or steer me in the write direction. I'm inches from
dumping rsyslog for syslog-ng which always works, while granted may not
drive the bus or fly the space shuttle but gets the job done.
I have tried running rsyslog in debug mode but I'm not able to decipher
anything meaningful to identify a problem. I have tried to attach the
results of the rsyslog debug, however, continue to get "The extension is
not allowed." regardless of file name or description. Regarding the config
expression syntax, I've tried $fromhost, $fromip, and $msg contains 'xyz'.
Every time rsyslogd -f /etc/rsyslog.conf -N1 validates successfully! In
addition, when I restart the rsyslogd daemon, it does not create the
file(s) in the log dir as per the config file. Again, am I missing
something? I've got earlier versions of rsyslog that do create the log
file.
There is one exception: log information from 216-xx-xx-59.mydomain.net is
making it's way into /var/log/vm1.log. How is it different? I see data
coming from other sources via the tcpdump.
System (Installed per <!-- m --><a class="postlink"
href="http://www.rsyslog.com/rhelcentos-rpms/">http://www.rsyslog.com/rhelcentos-rpms/</a><!--
m -->) Added rsyslog.repo, yum update, yum install ...
[code:1prpr0qs]
[root at syslog1 log]# cat /etc/issue
CentOS release 6.5 (Final)
Kernel \r on an \m
[root at syslog1 log]# uname -ar
Linux syslog1.mydomain.net 2.6.32-431.el6.x86_64 #1
SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[root at syslog1 log]# rsyslogd -v
rsyslogd 7.4.9, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: No
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
Runtime Instrumentation (slow code): No
uuid support: Yes
See http://www.rsyslog.com for more information.
[/code:1prpr0qs]
Config (BTW - pieced together from here <!-- m --><a class="postlink"
href="http://wiki.rsyslog.com/index.php/Rsyslog_v7_configuration_example_(with_mysql_or_mongodb">http://wiki.rsyslog.com/index.php/Rsysl
... or_mongodb</a><!-- m -->)
[code:1prpr0qs][root at syslog1 log]# cat /etc/rsyslog.conf
# rsyslog configuration file (for Red Hat-based systems)
# note that most of this config file uses old-style format,
# because it is well-known AND quite suitable for simple cases
# like we have with the default config. For more advanced
# things, RainerScript configuration is suggested.
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see
http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
module(load="imuxsock") # provides support for local system logging
(e.g. via logger command)
module(load="imklog") # provides kernel logging support (previously done
by rklogd)
#module(load"immark") # provides --MARK-- message capability
#module(load="mmjsonparse") #for parsing CEE-enhanced syslog messages
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
#### GLOBAL DIRECTIVES ####
$umask 0000
#$AllowedSender UDP, 127.0.0.1, 192.168.1.0/24,
192.168.10.0/24, 10.0.0.0/8
#$AllowedSender TCP, 127.0.0.1, 192.168.1.0/24,
192.168.10.0/24, 10.0.0.0/8
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Reduce any duplicates
$RepeatedMsgReduction on
# File syncing capability is disabled by default. This feature is
usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### TEMPLATES ####
template(name="FileFormat" type="list") {
property(name="timegenerated" dateFormat="rfc3339")
constant(value=" ")
property(name="syslogseverity-text")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg" spifno1stsp="on" )
property(name="msg" droplastlf="on" )
constant(value="\n")
}
#### FILTERS ####
if ($fromip == '10.0.80.6') then
action(type="omfile" file="/var/log/mr1.wilhoit.log"
FileCreateMode="0644")
& stop
if ($fromhost == '216-xx-xx-59.mydomain.net') then
action(type="omfile" file="/var/log/vm1.log")
& stop
if ($fromhost == 'nn-prov1.pvdc') then
action(type="omfile" file="/var/log/expedienceAAA.log"
FileCreateMode="0644")
& stop
# All other remote logging goes to 'other'
if ( $inputname == 'imudp' or
$inputname == 'imtcp' ) then
action(type="omfile" file="/var/log/other.log" FileCreateMode="0644")
& stop
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none
/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.*
/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg
:omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit
/var/log/spooler
# Save boot messages also to boot.log
local7.*
/var/log/boot.log
[/code:1prpr0qs]
[code:1prpr0qs]
[root at syslog1 log]# tail -f /var/log/vm1.log
Feb 6 10:10:52 vm1 snmpd[1481]: Connection from
UDP:
[216.xx.x.11]:53093->[10.3.20.20]
Feb 6 10:10:52 vm1 snmpd[1481]: Connection from
UDP:
[216.xx.x.11]:53093->[10.3.20.20]
Feb 6 10:10:53 vm1 snmpd[1481]: Connection from
UDP:
[216.xx.x.11]:56034->[10.3.20.20]
Feb 6 10:11:53 vm1 snmpd[1481]: Connection from
UDP:
[216.xx.x.11]:58669->[10.3.20.20]
Feb 6 10:11:53 vm1 snmpd[1481]: Connection from
UDP:
[216.xx.x.11]:58669->[10.3.20.20]
Feb 6 10:11:53 vm1 snmpd[1481]: Connection from
UDP:
[216.xx.x.11]:51400->[10.3.20.20]
Feb 6 10:12:34 vm1 sshd[27042]: Did not receive
identification string from 10.0.0.25
Feb 6 10:12:54 vm1 snmpd[1481]: Connection from
UDP:
[216.xx.x.11]:49856->[10.3.20.20]
Feb 6 10:12:54 vm1 snmpd[1481]: Connection from
UDP:
[216.xx.x.11]:49856->[10.3.20.20]
Feb 6 10:12:54 vm1 snmpd[1481]: Connection from
UDP:
[216.xx.x.11]:53018->[10.3.20.20]
[/code:1prpr0qs]
Similar syntax tried with no success
[code:1prpr0qs]
if ($msg contains '10.0.80.6') {
*.* action(type="omfile" file="/var/log/mr1.wilhoit.log"
FileCreateMode="0644")
}
if ($fromhost == '216-xx-xx-59.mydomain.net') {
*.* action(type="omfile" file="/var/log/vm1.log")
}
if ($fromhost == 'nn-prov1.pvdc') {
*.* action(type="omfile" file="/var/log/expedienceAAA.log"
FileCreateMode="0644")
}
# All other remote logging goes to 'other'
if ( $inputname == 'imudp' or
$inputname == 'imtcp' ) {
*.* action(type="omfile" file="/var/log/other.log"
FileCreateMode="0644")
}
[/code:1prpr0qs]
[code:1prpr0qs]
[root at syslog1 log]# ll
total 3988
-rw-------. 1 root root 4459 Feb 2 19:25
anaconda.ifcfg.log
-rw-------. 1 root root 20471 Feb 2 19:25 anaconda.log
-rw-------. 1 root root 140780 Feb 2 19:25
anaconda.program.log
-rw-------. 1 root root 114089 Feb 2 19:25
anaconda.storage.log
-rw-------. 1 root root 39795 Feb 2 19:25 anaconda.syslog
-rw-------. 1 root root 57085 Feb 2 19:25 anaconda.xlog
-rw-------. 1 root root 77616 Feb 2 19:25
anaconda.yum.log
drwxr-x---. 2 root root 4096 Feb 2 19:30 audit
-rw-r--r--. 2 root root 2394 Feb 2 19:34 boot.log
-rw-------. 1 root utmp 1152 Feb 3 23:44 btmp
drwxr-xr-x. 2 root root 4096 Feb 2 19:30 ConsoleKit
-rw-------. 1 root root 204508 Feb 6 03:01 cron
drwxr-xr-x. 2 lp sys 4096 Aug 17 03:21 cups
-rw-r--r--. 1 root root 20448 Feb 2 19:34 dmesg
-rw-r--r--. 1 root root 20373 Feb 2 19:29 dmesg.old
-rw-r--r--. 1 root root 327598 Feb 2 19:39 dracut.log
-rw-r--r--. 1 root root 4158 Feb 6 03:12
expedienceAAA.log
drwx------. 2 root root 4096 Aug 13 10:30 httpd
-rw-r--r--. 1 root root 146292 Feb 3 23:47 lastlog
-rw-------. 1 root root 328366 Feb 6 02:42 maillog
-rw-------. 1 root root 1337329 Feb 6 03:13 messages
-rw-r--r--. 1 root root 0 Feb 4 00:03
mr1.wilhoit.log
drwxr-xr-x. 2 ntp ntp 4096 Nov 23 11:21 ntpstats
drwxr-xr-x. 2 root root 4096 Feb 2 20:48 prelink
drwxr-xr-x. 2 root root 4096 Feb 6 00:00 sa
drwx------. 3 root root 4096 Dec 9 17:52 samba
-rw-------. 1 root root 206069 Feb 6 02:42 secure
-rw-------. 1 root root 0 Feb 2 19:20 spooler
drwxr-x---. 2 root root 4096 Jan 6 02:12 sssd
-rw-------. 1 root root 0 Feb 2 19:18 tallylog
drwxr-xr-x. 2 tomcat root 4096 Feb 2 19:22 tomcat6
-rw-r--r--. 1 root root 1030956 Feb 6 03:12 vm1.log
-rw-rw-r--. 1 root utmp 12672 Feb 3 23:47 wtmp
-rw-------. 1 root root 4027 Feb 2 20:24 yum.log
[/code:1prpr0qs]
[code:1prpr0qs]
03:29:46.339807 IP (tos 0x0, ttl 62, id 0, offset 0, flags
[DF], proto UDP (17), length 83)
10.0.80.6.syslog >
216-xx-xx-140.mydomain.net.syslog: [udp sum ok]
SYSLOG, length: 55
Facility syslog (5), Severity info (6)
Msg: Feb 6 17:37:46 Wilhoit log action changed by tonyd
0x0000: 3c34 363e 4665 6220 2036 2031 373a 3337
0x0010: 3a34 3620 5769 6c68 6f69 7420 6c6f 6720
0x0020: 6163 7469 6f6e 2063 6861 6e67 6564 2062
0x0030: 7920 746f 6e79 64
03:29:48.375723 IP (tos 0x0, ttl 62, id 0, offset 0, flags
[DF], proto UDP (17), length 102)
10.0.80.6.syslog >
216-xx-xx-140.mydomain.net.syslog: [udp sum ok]
SYSLOG, length: 74
Facility syslog (5), Severity debug (7)
Msg: Feb 6 17:37:48 Wilhoit RECV: Hello <-
10.0.80.5 on vlan11 (10.0.80.6)
0x0000: 3c34 373e 4665 6220 2036 2031 373a 3337
0x0010: 3a34 3820 5769 6c68 6f69 7420 5245 4356
0x0020: 3a20 4865 6c6c 6f20 3c2d 2031 302e 302e
0x0030: 3830 2e35 206f 6e20 766c 616e 3131 2028
0x0040: 3130 2e30 2e38 302e 3629
03:29:48.375778 IP (tos 0x0, ttl 62, id 0, offset 0, flags
[DF], proto UDP (17), length 63)
10.0.80.6.syslog >
216-xx-xx-140.mydomain.net.syslog: [udp sum ok]
SYSLOG, length: 35
Facility syslog (5), Severity debug (7)
Msg: Feb 6 17:37:48 Wilhoit PACKET:
0x0000: 3c34 373e 4665 6220 2036 2031 373a 3337
0x0010: 3a34 3820 5769 6c68 6f69 7420 5041 434b
0x0020: 4554 3a
03:29:48.375838 IP (tos 0x0, ttl 62, id 0, offset 0, flags
[DF], proto UDP (17), length 107)
10.0.80.6.syslog >
216-xx-xx-140.mydomain.net.syslog: [udp sum ok]
SYSLOG, length: 79
Facility syslog (5), Severity debug (7)
Msg: Feb 6 17:37:48 Wilhoit 45 C0 00 50 14 FD 00 00 01
59 69 8E 0A 00 50 05
0x0000: 3c34 373e 4665 6220 2036 2031 373a 3337
0x0010: 3a34 3820 5769 6c68 6f69 7420 2020 2020
0x0020: 3435 2043 3020 3030 2035 3020 3134 2046
0x0030: 4420 3030 2030 3020 3031 2035 3920 3639
0x0040: 2038 4520 3041 2030 3020 3530 2030 35
03:29:48.375870 IP (tos 0x0, ttl 62, id 0, offset 0, flags
[DF], proto UDP (17), length 107)
10.0.80.6.syslog >
216-xx-xx-140.mydomain.net.syslog: [udp sum ok]
SYSLOG, length: 79
Facility syslog (5), Severity debug (7)
Msg: Feb 6 17:37:48 Wilhoit E0 00 00 05 02 01 00 30 02
02 02 02 00 00 00 01
0x0000: 3c34 373e 4665 6220 2036 2031 373a 3337
0x0010: 3a34 3820 5769 6c68 6f69 7420 2020 2020
0x0020: 4530 2030 3020 3030 2030 3520 3032 2030
0x0030: 3120 3030 2033 3020 3032 2030 3220 3032
0x0040: 2030 3220 3030 2030 3020 3030 2030 31
03:29:48.375895 IP (tos 0x0, ttl 62, id 0, offset 0, flags
[DF], proto UDP (17), length 107)
10.0.80.6.syslog >
216-xx-xx-140.mydomain.net.syslog: [udp sum ok]
SYSLOG, length: 79
Facility syslog (5), Severity debug (7)
Msg: Feb 6 17:37:48 Wilhoit 28 3B 00 00 00 00 00 00 00
00 00 00 FF FF FF FC
0x0000: 3c34 373e 4665 6220 2036 2031 373a 3337
0x0010: 3a34 3820 5769 6c68 6f69 7420 2020 2020
0x0020: 3238 2033 4220 3030 2030 3020 3030 2030
0x0030: 3020 3030 2030 3020 3030 2030 3020 3030
0x0040: 2030 3020 4646 2046 4620 4646 2046 43
03:29:48.375916 IP (tos 0x0, ttl 62, id 0, offset 0, flags
[DF], proto UDP (17), length 107)
10.0.80.6.syslog >
216-xx-xx-140.mydomain.net.syslog: [udp sum ok]
SYSLOG, length: 79
Facility syslog (5), Severity debug (7)
Msg: Feb 6 17:37:48 Wilhoit 00 0A 12 01 00 00 00 28 0A
00 50 06 0A 00 50 05
0x0000: 3c34 373e 4665 6220 2036 2031 373a 3337
0x0010: 3a34 3820 5769 6c68 6f69 7420 2020 2020
0x0020: 3030 2030 4120 3132 2030 3120 3030 2030
0x0030: 3020 3030 2032 3820 3041 2030 3020 3530
0x0040: 2030 3620 3041 2030 3020 3530 2030 35
03:29:48.375929 IP (tos 0x0, ttl 62, id 0, offset 0, flags
[DF], proto UDP (17), length 107)
10.0.80.6.syslog >
216-xx-xx-140.mydomain.net.syslog: [udp sum ok]
SYSLOG, length: 79
Facility syslog (5), Severity debug (7)
Msg: Feb 6 17:37:48 Wilhoit 0A 02 01 51 FF F6 00 03 00
01 00 04 00 00 00 01
0x0000: 3c34 373e 4665 6220 2036 2031 373a 3337
0x0010: 3a34 3820 5769 6c68 6f69 7420 2020 2020
0x0020: 3041 2030 3220 3031 2035 3120 4646 2046
0x0030: 3620 3030 2030 3320 3030 2030 3120 3030
0x0040: 2030 3420 3030 2030 3020 3030 2030 31
03:29:48.375985 IP (tos 0x0, ttl 62, id 0, offset 0, flags
[DF], proto UDP (17), length 79)
10.0.80.6.syslog >
216-xx-xx-140.mydomain.net.syslog: [udp sum ok]
SYSLOG, length: 51
Facility syslog (5), Severity debug (7)
Msg: Feb 6 17:37:48 Wilhoit received options: E|R
0x0000: 3c34 373e 4665 6220 2036 2031 373a 3337
0x0010: 3a34 3820 5769 6c68 6f69 7420 2020 7265
0x0020: 6365 6976 6564 206f 7074 696f 6e73 3a20
0x0030: 457c 52
03:29:49.212248 IP (tos 0x0, ttl 62, id 0, offset 0, flags
[DF], proto UDP (17), length 102)
10.0.80.6.syslog >
216-xx-xx-140.mydomain.net.syslog: [udp sum ok]
SYSLOG, length: 74
Facility syslog (5), Severity debug (7)
Msg: Feb 6 17:37:49 Wilhoit SEND: Hello
10.30.0.37 -> 224.0.0.5 on bridge1
0x0000: 3c34 373e 4665 6220 2036 2031 373a 3337
0x0010: 3a34 3920 5769 6c68 6f69 7420 5345 4e44
0x0020: 3a20 4865 6c6c 6f20 3130 2e33 302e 302e
0x0030: 3337 202d 3e20 3232 342e 302e 302e 3520
0x0040: 6f6e 2062 7269 6467 6531
03:29:49.212326 IP (tos 0x0, ttl 62, id 0, offset 0, flags
[DF], proto UDP (17), length 63)
10.0.80.6.syslog >
216-xx-xx-140.mydomain.net.syslog: [udp sum ok]
SYSLOG, length: 35
Facility syslog (5), Severity debug (7)
Msg: Feb 6 17:37:49 Wilhoit PACKET:
0x0000: 3c34 373e 4665 6220 2036 2031 373a 3337
0x0010: 3a34 3920 5769 6c68 6f69 7420 5041 434b
0x0020: 4554 3a
03:29:49.212333 IP (tos 0x0, ttl 62, id 0, offset 0, flags
[DF], proto UDP (17), length 107)
10.0.80.6.syslog >
216-xx-xx-140.mydomain.net.syslog: [udp sum ok]
SYSLOG, length: 79
Facility syslog (5), Severity debug (7)
Msg: Feb 6 17:37:49 Wilhoit 02 01 00 2C 0A 02 01 51 00
00 00 00 E6 0C 00 00
0x0000: 3c34 373e 4665 6220 2036 2031 373a 3337
0x0010: 3a34 3920 5769 6c68 6f69 7420 2020 2020
0x0020: 3032 2030 3120 3030 2032 4320 3041 2030
0x0030: 3220 3031 2035 3120 3030 2030 3020 3030
0x0040: 2030 3020 4536 2030 4320 3030 2030 30
03:29:49.212339 IP (tos 0x0, ttl 62, id 0, offset 0, flags
[DF], proto UDP (17), length 107)
10.0.80.6.syslog >
216-xx-xx-140.mydomain.net.syslog: [udp sum ok]
SYSLOG, length: 79
Facility syslog (5), Severity debug (7)
Msg: Feb 6 17:37:49 Wilhoit 00 00 00 00 00 00 00 00 FF
FF FF FC 00 0A 02 01
0x0000: 3c34 373e 4665 6220 2036 2031 373a 3337
0x0010: 3a34 3920 5769 6c68 6f69 7420 2020 2020
0x0020: 3030 2030 3020 3030 2030 3020 3030 2030
0x0030: 3020 3030 2030 3020 4646 2046 4620 4646
0x0040: 2046 4320 3030 2030 4120 3032 2030 31
03:29:49.212343 IP (tos 0x0, ttl 62, id 0, offset 0, flags
[DF], proto UDP (17), length 95)
10.0.80.6.syslog >
216-xx-xx-140.mydomain.net.syslog: [udp sum ok]
SYSLOG, length: 67
Facility syslog (5), Severity debug (7)
Msg: Feb 6 17:37:49 Wilhoit 00 00 00 28 0A 1E 00 25 00
00 00 00
0x0000: 3c34 373e 4665 6220 2036 2031 373a 3337
0x0010: 3a34 3920 5769 6c68 6f69 7420 2020 2020
0x0020: 3030 2030 3020 3030 2032 3820 3041 2031
0x0030: 4520 3030 2032 3520 3030 2030 3020 3030
0x0040: 2030 30
03:29:51.842985 IP (tos 0x0, ttl 62, id 0, offset 0, flags
[DF], proto UDP (17), length 100)
10.0.80.6.syslog >
216-xx-xx-140.mydomain.net.syslog: [udp sum ok]
SYSLOG, length: 72
Facility syslog (5), Severity debug (7)
Msg: Feb 6 17:37:52 Wilhoit SEND: Hello
10.0.80.6 -> 224.0.0.5 on vlan11
0x0000: 3c34 373e 4665 6220 2036 2031 373a 3337
0x0010: 3a35 3220 5769 6c68 6f69 7420 5345 4e44
0x0020: 3a20 4865 6c6c 6f20 3130 2e30 2e38 302e
0x0030: 3620 2d3e 2032 3234 2e30 2e30 2e35 206f
0x0040: 6e20 766c 616e 3131
03:29:51.843178 IP (tos 0x0, ttl 62, id 0, offset 0, flags
[DF], proto UDP (17), length 63)
10.0.80.6.syslog >
216-xx-xx-140.mydomain.net.syslog: [udp sum ok]
SYSLOG, length: 35
Facility syslog (5), Severity debug (7)
Msg: Feb 6 17:37:52 Wilhoit PACKET:
0x0000: 3c34 373e 4665 6220 2036 2031 373a 3337
0x0010: 3a35 3220 5769 6c68 6f69 7420 5041 434b
0x0020: 4554 3a
03:29:51.843203 IP (tos 0x0, ttl 62, id 0, offset 0, flags
[DF], proto UDP (17), length 107)
10.0.80.6.syslog >
216-xx-xx-140.mydomain.net.syslog: [udp sum ok]
SYSLOG, length: 79
Facility syslog (5), Severity debug (7)
Msg: Feb 6 17:37:52 Wilhoit 02 01 00 30 0A 02 01 51 00
00 00 01 38 3B 00 00
0x0000: 3c34 373e 4665 6220 2036 2031 373a 3337
0x0010: 3a35 3220 5769 6c68 6f69 7420 2020 2020
0x0020: 3032 2030 3120 3030 2033 3020 3041 2030
0x0030: 3220 3031 2035 3120 3030 2030 3020 3030
0x0040: 2030 3120 3338 2033 4220 3030 2030 30
03:29:51.844462 IP (tos 0x0, ttl 62, id 0, offset 0, flags
[DF], proto UDP (17), length 107)
10.0.80.6.syslog >
216-xx-xx-140.mydomain.net.syslog: [udp sum ok]
SYSLOG, length: 79
Facility syslog (5), Severity debug (7)
Msg: Feb 6 17:37:52 Wilhoit 00 00 00 00 00 00 00 00 FF
FF FF FC 00 0A 02 01
0x0000: 3c34 373e 4665 6220 2036 2031 373a 3337
0x0010: 3a35 3220 5769 6c68 6f69 7420 2020 2020
0x0020: 3030 2030 3020 3030 2030 3020 3030 2030
0x0030: 3020 3030 2030 3020 4646 2046 4620 4646
0x0040: 2046 4320 3030 2030 4120 3032 2030 31!
!
!
!
03:31:51.189152 IP (tos 0x0, ttl 64, id 11712, offset 0, flags
[DF], proto TCP (6), length 60)
216-xx-xx-59.mydomain.net.60204 >
216-xx-xx-140.mydomain.net.shell: Flags [S], cksum
0xca18 (correct), seq 846298052, win 14600, options [mss 1460,sackOK,TS
val 2089309700 ecr 0,nop,wscale 7], length 0
03:31:51.189185 IP (tos 0x0, ttl 64, id 0, offset 0, flags
[DF], proto TCP (6), length 40)
216-xx-xx-140.mydomain.net.shell >
216-xx-xx-59.mydomain.net.60204: Flags [R.],
cksum 0x3d7d (correct), seq 0, ack 846298053, win 0, length 0
[/code:1prpr0qs]
More information about the rsyslog-notify
mailing list