[rsyslog-notify] Forum Thread: Re: [Help] incorrect facility - (Mode 'edit_last_post')

[noreply at adiscon.com]

User: flaco 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26502#p26502

Message: 
----------
[quote="dlang":37ez2pnu]write some logs with the format RSYSLOG_DebugFormat
and you will be able to see exactly how rsyslog is parsing the messages.

It will show you what facility it's seeing, but it will also show you the
rawmsg, which is what it receives to parse.

Once we see those it should be clear what is happening.[/quote:37ez2pnu]

Hello,

 these are few line captured with [b:37ez2pnu]*.*
/var/log/debugfmt;RSYSLOG_DebugFormat[/b:37ez2pnu]:

[code:37ez2pnu]FROMHOST: 'av-01', fromhost-ip:
'127.0.0.1', HOSTNAME: 'av-01', PRI: 30,
syslogtag 'clamd[554]:', programname: 'clamd',
APP-NAME: 'clamd', PROCID: '554', MSGID: '-',
TIMESTAMP: 'Apr 19 09:56:01', STRUCTURED-DATA: '-',
msg: ' instream(10.10.10.10 at 43999):
Heuristics.Phishing.Email.SpoofedDomain FOUND'
escaped msg: ' instream(10.10.10.10 at 43999):
Heuristics.Phishing.Email.SpoofedDomain FOUND'
inputname: imuxsock rawmsg: '<30>Apr 19 09:56:01
clamd[554]: instream(10.10.10.10 at 43999):
Heuristics.Phishing.Email.SpoofedDomain FOUND'
$!:
$.:
$/:

Debug line with all properties:
FROMHOST: 'av-01', fromhost-ip: '127.0.0.1',
HOSTNAME: 'av-01', PRI: 30,
syslogtag 'clamd[554]:', programname: 'clamd',
APP-NAME: 'clamd', PROCID: '554', MSGID: '-',
TIMESTAMP: 'Apr 19 09:57:43', STRUCTURED-DATA: '-',
msg: ' LibClamAV Warning: cli_tnef: file truncated, returning
CLEAN'
escaped msg: ' LibClamAV Warning: cli_tnef: file truncated,
returning CLEAN'
inputname: imuxsock rawmsg: '<30>Apr 19 09:57:43
clamd[554]: LibClamAV Warning: cli_tnef: file
truncated, returning CLEAN'
$!:
$.:
$/:[/code:37ez2pnu]

In my first post the lines were captured using
[b:37ez2pnu]$template TraditionalFormatWithPRI,"%pri-text%: %timegenerated%
%HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"[/b:37ez2pnu].

Thank you
Marco