[rsyslog-notify] Forum Thread: non-standard output format when hostname is missing - (Mode 'edit_topic')
noreply at adiscon.com
noreply at adiscon.com
Mon Nov 16 13:22:24 CET 2015
User: ctr
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26146#p26146
Message:
----------
I´m using rsyslog 5.8.10 (CentOS distribution package) with
RSYSLOG_SyslogProtocol23Format forwarding.
However when the hostname is not present in the received syslog message,
message formatting and forwarding produces incomplete messages:
I.e. input log line (observed using tcpdump):
<PRI> SP TIMESTAMP SP TAG SP MSG
<14> Nov 15 10:10:10 some_logs: message content comes here, but no SD
is converted and forwarded as:
<14>1 2015-11-16T09:10.10+01:00 some-hostname some_logs - - message content
comes here, but no SD
note that there are just two NIL fields ("-") although there should be
three (PROCID, MSGID and SD are missing, so they should be NIL)
I may be able to fix this up in the forwarding template, but as the source
message does not violate any standard (hostname is optional as per RFC3164)
I think the better approach would be to have this handled in the code. Also
I´d have to process every message (rather than using built-in template) to
get this done which may have a performance impact.
EDIT: When outputing with DEBUG I can actually see
PROCID: ''
although I'd expect PROCID: '-' (like MSGID and SD)
More information about the rsyslog-notify
mailing list