[rsyslog-notify] Forum Thread: Re: non-standard output format when hostname is missing - (Mode 'edit_last_post')
noreply at adiscon.com
noreply at adiscon.com
Mon Nov 16 14:13:19 CET 2015
User: ctr
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26150#p26150
Message:
----------
The extra space between PRI and timestamp was just a copy & paste incident,
its not really there. So the issue is really just the empty PROCID.
Regardless of RFC3164 (we may have different interpretation here, having a
hostname is only a RECOMMENDATION see section 4.2) rsyslog definitely mixes
things up. It populates PROCID with an empty value which by itself violates
both draft-ietf-syslog-protocol-23 and RFC5424 (NILVALUE must be %d33-126),
so PROCID: '' is not valid
If you are saying that since the input message is broken it cannot be
expected that rsyslog produces correct output format I'd respond that not
having a hostname in a message is quite common and rsyslog has a handler
for this setting it to fromhost-ip (or the reverse looked up hostname)
which is fine. Also if the input is broken I'd expect that output is broken
at the same stage, not a completely different one. And finally an empty
PROCID is never valid, so why should Rsyslog ever output this?
This is also not about structured data at all. While RFC5424 defines how SD
has to look like it also supersedes RFC3164 for unstructured data and we
only deal with messages without SD in our case.
More information about the rsyslog-notify
mailing list