On Tue, 24 Apr 2012, Steven Willis wrote:
I think you are forgetting about the format that the remote host is
configured to log to disk with.
If it is logging with the traditional file format, what you show as
being in the log would be correct.
remember that each instance of rsyslog has it's own templates for logs,
you can't just change the template on the first system and expect
systems downstream to use it.
David Lang
I don't think I fully understand. I get that there can be issues between each
syslog reading in an writing out in a different format, but how does the
addition of a single colon drastically change the output? These were my two
formats:
$template myFormat,"%timereported% hostname:{%hostname%} rawmsg:{%rawmsg%}\n"
$template myFormat2,"%timereported% hostname{%hostname%} rawmsg:{%rawmsg%}\n"
And the final output when using the second is exactly what I naively
expected, but the first got garbled. When you use remote logging, is the
remote rsyslog daemon always going to parse the input based on a strict
format? And if so, what is that format, I've seen a couple mentions of
different forward formats.
when the remote system receives the message, if you have not loaded a
specific parser module it assumes that what it's receiving is in the
traditional syslog format.
in your first example, hostname:{%hostname%} triggers something in the
parsing logic that says that this can't be a legitimate hostname, so it
puts the IP address of the sender in the hostname field instead.
In the second case, this heuristic doesn't get triggered, so it puts the
result of 'hostname{%hostname%}' in the hostname field, so it does what
you are expecting.
The short version is not to muck with the formatting until you arrive at
your final destination (unless you need to fix something that's broken)
I'll bet that if you use the default format on your sending machine, and
your custom format on the recieving machine, it will do what you want.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
