Being back... (inline)
> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:rsyslog- > [EMAIL PROTECTED] On Behalf Of Jeff Schroeder > Sent: Friday, August 22, 2008 3:21 PM > To: (private) HKS > Cc: rsyslog-users > Subject: Re: [rsyslog] Problems migrating from syslog-ng > > On Thu, Aug 21, 2008 at 2:00 PM, (private) HKS <[EMAIL PROTECTED]> > wrote: > > On Thu, Aug 21, 2008 at 4:44 PM, Jeff Schroeder > <[EMAIL PROTECTED]> wrote: > >> On Thu, Aug 21, 2008 at 10:53 AM, Rainer Gerhards > >> <[EMAIL PROTECTED]> wrote: > >>> I have only been able to have a brief look, but it looks like the > message is incorrectly formatted. rsyslog is smart enough to detect > that the hostname is missing if the tag is followed by a character not > valid in hostnames. But if the tag even looks like a hostname, it has > no chance of detecting that it isn't one. As suggested, see RFC 3164 > for what the format should look like. I think the -x option (or some > other) enables to strip hostname detection, but I am not sure. You can > "solve" this by misusing some fields. E.g. FROMHOST probably has what > actually is the tag. HKS suggestion will help you find a suitable > format. > > You were right Rainer. It looks like the java code which injects the > message is sending malformed > syslog requests. Please provide samples of the raw messages, what syslog-ng does to them and what rsyslog does (and what you would ideally like to see, if that's different in any aspect ;)). [I know you have sent most of it - except the source message, but I'd like to have a consistent set to look at.] > syslog-ng still sends it through and does the correct > things. Is there a way to make > rsyslog a bit less strict about it? It depends on the above things. The problem is that when we cannot detect whether it is a tag or a hostname, there is no way to do it automatically. I can, of course, add a switch that tells the parser that there never is a hostname inside the message. I suspect this is what syslog-ng is doing. This prevents relay chains from properly conveying the hostname, but I guess it would work in your case. It needs to be a user option, because obviously most users will never want to use this handling. > Running rsyslog with -c0 defeats > the purpose of using rsyslog. Well... not really. The -cX switches change some aspects of behavior, but do not change the core itself. However, I do not think that -c0 would change anything. Does it? If so, my analysis would obviously be wrong... > Until our application has been fixed and rolled out accross our > clusters worldwide, we rolled back to syslog-ng. Of course, I'd like to support the format as-is (under above constraints;)). Rainer > > > >> > >> Is there an equivalent of "-x" with "-c 3" enabled? It doesn't seem > to > >> work with -c3 and I'd > >> rather not run in compatibility mode. > > > > > > I don't think so. > > > > -HKS > > > > > > -- > Jeff Schroeder > > Don't drink and derive, alcohol and analysis don't mix. > http://www.digitalprognosis.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
