[rsyslog-notify] Forum Thread: Strange linebreak with Jboss access logs - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Thu Feb 27 17:36:15 CET 2014 

User: Chriss.ko 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24268#p24268

Message: 
----------
Hi everybody,

I try to send the jboss access logs via reading the actual log file to my
central rsyslog server. The servers running Redhat 6.4 so I have
rsyslog-5.8.10-8.el6.x86_64 on both sites running.

Client setup:
[code:1emrlwv5]
$template FormatJB1Access,"%protocol-version%
%TIMESTAMP:::date-rfc3339% %HOSTNAME% %app-name% %msg%\n
$InputFileName /own/log/jboss/access_log.%$YEAR%-%$MONTH%-%$DAY%
$InputFileTag JB1access-log
$InputFileStateFile stat-JB1access-log
#$InputFileReadMode 2
$InputFileSeverity info
$InputRunFileMonitor
if $app-name == 'JB1access-log' then @@loghost:514;FormatJB1Access
if $app-name == 'JB1access-log' then ~
[/code:1emrlwv5]

Example from the log I we are reading:
[code:1emrlwv5]
10.0.0.30 [27/Feb/2014:17:20:32 +0100] 0
HTTP/1.1 11001 http-executor-threads - 553 / 200 GET 2432
10.0.0.30 [27/Feb/2014:17:20:32 +0100] 0
HTTP/1.1 11001 http-executor-threads - 555 /as7_style.css 200 GET
1707
10.0.0.30 [27/Feb/2014:17:20:32 +0100] 1
HTTP/1.1 11001 http-executor-threads - 556 /as7_logo.png 200 GET
22866
10.0.0.30 [27/Feb/2014:17:20:32 +0100] 0
HTTP/1.1 11001 http-executor-threads - 558 /jboss_community.png 200
GET 2731
10.0.0.30 [27/Feb/2014:17:20:32 +0100] 1
HTTP/1.1 11001 http-executor-threads - 557 /bkg.gif 200 GET 51660
[/code:1emrlwv5]

This is the part from the rsyslog server:
[code:1emrlwv5]
$template TraditionalFormat,"%timegenerated% %HOSTNAME%
%syslogtag%%msg:::drop-last-lf%\n"
# All Logs to one file
$template AllPerHostLogs,"/own/log/%FROMHOST%/all.log"
if \
        $source != 'adm' \
                and not ( \
        $app-name contains 'TC1catalina-out' \
                or \
        $app-name contains 'TC1access-log' \
                or \
        $app-name contains 'JB1access-log' \
                ) \
then -?AllPerHostLogs;TraditionalFormat

# All access-log
$template
Jboss1AccessLogHostLogs,"/own/log/%FROMHOST%/jboss-1-access.log"
if \
        $source != 'adm' \
                and \
        $app-name contains 'JB1access-log' \
then -?Jboss1AccessLogHostLogs
[/code:1emrlwv5]
So I have a catch all log (all.log) where I want to write everything to,
except the logfiles with the app-names listed, and the host "adm", the host
where the rsyslog server is running on, is excluded as well. This works
fine for the "TC1*" application, the JB1access-log is the problem:

If I look into the jboss-1-access.log everything looks fine:
[code:1emrlwv5]
Feb 27 17:20:48 devfe1 JB1access-log 10.0.0.30
[27/Feb/2014:17:20:32 +0100] 0 HTTP/1.1 11001
http-executor-threads - 553 / 200 GET 2432
Feb 27 17:20:48 devfe1 JB1access-log 10.0.0.30
[27/Feb/2014:17:20:32 +0100] 0 HTTP/1.1 11001
http-executor-threads - 555 /as7_style.css 200 GET 1707
Feb 27 17:20:48 devfe1 JB1access-log 10.0.0.30
[27/Feb/2014:17:20:32 +0100] 1 HTTP/1.1 11001
http-executor-threads - 556 /as7_logo.png 200 GET 22866
Feb 27 17:20:48 devfe1 JB1access-log 10.0.0.30
[27/Feb/2014:17:20:32 +0100] 0 HTTP/1.1 11001
http-executor-threads - 558 /jboss_community.png 200 GET 2731
Feb 27 17:20:48 devfe1 JB1access-log 10.0.0.30
[27/Feb/2014:17:20:32 +0100] 1 HTTP/1.1 11001
http-executor-threads - 557 /bkg.gif 200 GET 51660
[/code:1emrlwv5]

But I have some strange looking lins in the all.log as well which should
not be there:
[code:1emrlwv5]
Feb 27 17:20:44 F
Feb 27 17:20:44 eb 27 17:20:48 devfe1 JB1access-log
JB1access-log  10.0.0.30 [27/Feb/2014:17:20:32
+0100] 0 HTTP/1.1 11001 http-executor-threads - 553 / 200 GET 2432
Feb 27 17:20:44 F
Feb 27 17:20:44 eb 27 17:20:48 devfe1 JB1access-log
JB1access-log  10.0.0.30 [27/Feb/2014:17:20:32
+0100] 0 HTTP/1.1 11001 http-executor-threads - 555
/as7_style.css 200 GET 1707
Feb 27 17:20:44 F
Feb 27 17:20:44 eb 27 17:20:48 devfe1 JB1access-log
JB1access-log  10.0.0.30 [27/Feb/2014:17:20:32
+0100] 1 HTTP/1.1 11001 http-executor-threads - 556
/as7_logo.png 200 GET 22866
Feb 27 17:20:44 F
Feb 27 17:20:44 eb 27 17:20:48 devfe1 JB1access-log
JB1access-log  10.0.0.30 [27/Feb/2014:17:20:32
+0100] 0 HTTP/1.1 11001 http-executor-threads - 558
/jboss_community.png 200 GET 2731
Feb 27 17:20:44 F
Feb 27 17:20:44 eb 27 17:20:48 devfe1 JB1access-log
JB1access-log  10.0.0.30 [27/Feb/2014:17:20:32
+0100] 1 HTTP/1.1 11001 http-executor-threads - 557 /bkg.gif
200 GET 51660
[/code:1emrlwv5]

First of all, the lines should not show up in the all.log. They do and they
are malformated, the $app-name appears twice and I have no idea where the
line break after the F comes from.  

Can anybody help me please?

Cherrs,

Chriss

More information about the rsyslog-notify mailing list