[rsyslog-notify] Forum Thread: Re: Inserting information into Log received from remote host - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Tue Nov 3 22:56:02 CET 2015
User: dlang
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26103#p26103
Message:
----------
wow, there are a lot of things wrong with that log message.
a valid syslog formatted message would be something like
<180>Nov 18 07:57:13 hostname DefensePro: WARNING 105 Anomalies "TTL Less
Than or Equal to 1" IP xxx.xxx.xxx.xxx y xxx.xxx.xxx.xxx y y Regular
"Packet Anomalies" sampled 1 94 N/A 0 N/A low forward
aaaaaaaaa-aaaa-aaaa-1111-11111111
you need to write this out to a file with the template RSYSLOG_DebugFormat
to see exactly what rsyslog ends up doing with this message as it's
heuristics try to get something meaningful out of this garbage. It's very
possible that the hostname variable will end up containing "DefensePro"
you will probably end up with a template something like:
<%pri%>%timestampe% %fromhost-ip% %hostname% %syslogtag%%msg
with the hostname field being there because that variable has ended up
containing information that you care about. until I see the debugformat
output I can't say for sure.
but just sticking %hostname% in front of the rawmessage (which starts with
the '<180>') is almost certainly the wrong thing to do.
More information about the rsyslog-notify
mailing list