what version of rsyslog are you using?
there is a pmcisco module to clean up the extra ":" in the file, but the
duplicate timestamp indicates that there is something really odd going on
and rsyslog does not thing there is a valid timestamp in the message.
you may want to log a bit with format RSYSLOG_Debug to see what is
arriving so that we can try and figure out what's going wrong.
David Lang
On
Sun, 21 Oct 2012, Ryan Sawhill wrote:
Date: Sun, 21 Oct 2012 23:02:51 -0400
From: Ryan Sawhill <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: [rsyslog] Feedback on possibilities of reformatting logs from remote
syslog hosts
Log entries on this rsyslog server are coming from multiple (non-rsyslog)
remote hosts, including linux boxen with classic sysklogd, cisco routers, &
windows machines. It's all kinds of messy... Given some of the following
examples, can anyone offer thoughts on how these messages could be cleaned up
on the rsyslog side?
At the very least, could we do anything to make it so the duplicate
timestamps don't show up for some messages?
Thanks for your time.
Oct 17 09:42:55 Oct 17 2012 13:42:55 10.0.0.200 : %ASA-6-106100: access-list
host-25 permitted tcp host-25/10.0.0.25(3203) ->
untrust-v2108/10.0.0.30(6060)...
Oct 17 09:42:55 host-41 /12 13:42:54 [issue_cmd ]
RESULT:#012#01210/17/12 13:42:54 [issue_cmd ] PING 10.0.0.20
(10.0.0.20): 56 data bytes#012#01210/17/12 13:42:54 [issue_cmd ] 64
bytes from 10
Oct 17 13:42:55 host-41 Vpxa:
Oct 17 13:42:55 host-41 Vpxa: [2012-10-17 13:42:55.030 12345ABC verbose
'App'] [VpxaVMAP::Invoke] Command returned successfully
Oct 17 09:29:52 host-99 #012#01210/17/12 13:29:51 [print_args ]
PWD=/var/log/vmware/vpx#012#01210/17/12 13:29:51 [print_args ]
PS_OPTIONS=#012#01210/17/12 13:29:51 [print_args ] FT_N
Oct 17 09:30:04 host86.example.com
MSWinEventLog#0110#011Security#00000000#011Wed Oct 17 09:30:03
2012#0000000#011Microsoft-Windows-Security-Auditing#011EXAMPLE\host86$#011N/A#011Success
Audit#011host86.example.com#011Proces
Oct 17 09:29:57 10.0.0.100 1234567: Oct 17 13:29:56.474 UTC:
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/31, changed
state to down
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
