[rsyslog-notify] Forum Thread: Re: filter invalid syslogtag - (Mode 'reply')

noreply at adiscon.com noreply at adiscon.com
Fri Jul 8 08:21:18 CEST 2016 

User: awinberg 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26732#p26732

Message: 
----------
Hey, I got lucky almost immediately and captured a 'weird' message on the
logserver:

[code:14gp4bns]Debug line with all properties:
FROMHOST: 'lxserv350.smhi.se', fromhost-ip:
'172.18.0.104', HOSTNAME: 'lxserv350', PRI: 156,
syslogtag '`<87>^A40^?:', programname: '`', APP-NAME: '`',
PROCID: '', MSGID: '-',
TIMESTAMP: 'Jul  8 06:16:10', STRUCTURED-DATA: '-',
msg: ' 0^?: 
[org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject]
IJ000604: Throwable while attempting to get a new connection: null'
escaped msg: ' 0: 
[org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject]
IJ000604: Throwable while attempting to get a new connection: null'
inputname: imtcp rawmsg:
'<156>2016-07-08T06:16:10.531616+00:00 lxserv350
`<87>^A40^?: 0^?: 
[org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject]
IJ000604: Throwable while attempting to get a new connection: null'
[/code:14gp4bns]


Looks pretty much the same as the one from the client. procid seems to be
changed from containing a dash to just an empty string. 

As comparison, here is another message from the same server with a correct
syslogtag:

[code:14gp4bns]Debug line with all properties:
FROMHOST: 'lxserv350.smhi.se', fromhost-ip:
'172.18.0.104', HOSTNAME: 'lxserv350', PRI: 150,
syslogtag 'httpd[mora-apps.smhi.se]:', programname:
'httpd', APP-NAME: 'httpd', PROCID: 'mora-apps.smhi.se',
MSGID: '-',
TIMESTAMP: 'Jul  8 06:16:10', STRUCTURED-DATA: '-',
msg: ' 10.120.6.191 - -
[08/Jul/2016:06:16:10 +0000] "GET
/monitoring/?type=Cache_hit_index_masternode HTTP/1.1" 200 27 "-"
"Wget/1.14 (linux-gnu)"'
escaped msg: ' 10.120.6.191 - -
[08/Jul/2016:06:16:10 +0000] "GET
/monitoring/?type=Cache_hit_index_masternode HTTP/1.1" 200 27 "-"
"Wget/1.14 (linux-gnu)"'
inputname: imtcp rawmsg:
'<150>2016-07-08T06:16:10.582539+00:00 lxserv350
httpd[mora-apps.smhi.se]: 10.120.6.191 - -
[08/Jul/2016:06:16:10 +0000] "GET
/monitoring/?type=Cache_hit_index_masternode HTTP/1.1" 200 27 "-"
"Wget/1.14 (linux-gnu)"'[/code:14gp4bns]

This is an apache log of course, but it contains a syslogtag with the
format i'm expecting.

More information about the rsyslog-notify mailing list