I have only been able to have a brief look, but it looks like the message is incorrectly formatted. rsyslog is smart enough to detect that the hostname is missing if the tag is followed by a character not valid in hostnames. But if the tag even looks like a hostname, it has no chance of detecting that it isn't one. As suggested, see RFC 3164 for what the format should look like. I think the -x option (or some other) enables to strip hostname detection, but I am not sure. You can "solve" this by misusing some fields. E.g. FROMHOST probably has what actually is the tag. HKS suggestion will help you find a suitable format.
Rainer -----Original Message----- From: [EMAIL PROTECTED] on behalf of (private) HKS Sent: Thu 8/21/2008 7:46 PM To: rsyslog-users Subject: Re: [rsyslog] Problems migrating from syslog-ng I'm not familiar with syslog-ng, but I suspect this is just a difference in the formatting/interpretation of the raw packet. Try capturing a message or two from syslog-ng with tcpdump and compare to section 4 of RFC 3164. You can see how rsyslog interprets it with the following template: $template test, "TIME: %timestamp% HOST: %hostname% TAG: %syslogtag% PROGRAM: %programname% MSG: %rawmsg%\n" This should give you some idea of how to create a template that will log in the format you need. -HKS On Thu, Aug 21, 2008 at 1:33 PM, Jeff Schroeder <[EMAIL PROTECTED]> wrote: > Rsyslog seems to be mangling messages sent from our in-house applications. > We are trying to get the same format as we did with syslog-ng previously and > not having a lot of luck. > > The logs are in the format something like this: > TAG APPLICATION: MSG > > In syslog-ng, it looks like this locally and when sent to a remote > syslog-ng server: > Aug 21 00:00:00 ops051.nyc03.int ADMIN JAVA-EVENT: > ops-192.168.101.251:65261 offset changed 0.0004593 seconds! > > rsyslog with the TraditionalFileFormat makes it look like this > locally, stripping the hostname: > Aug 21 00:00:00 JAVA-EVENT: ops-192.168.101.251:65261 offset changed > 0.0004593 seconds! > > and like this when sent to a remote syslog-ng server. Notice how the > ADMIN tag was removed: > Aug 21 00:00:00 ops051.nyc03.int JAVA-EVENT: ops-192.168.101.251:65261 > offset changed 0.0004593 seconds! > > We have realtime logscraping software that looks at all message tags > and does custom reporting on them. > It keys off the TAG property that rsyslog is stripping off. What can > we do to enable this? We've been playing > with custom $templates in the rsyslog.conf to no real avail. > > Thanks! > > -- > Jeff Schroeder > > Don't drink and derive, alcohol and analysis don't mix. > http://www.digitalprognosis.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
