I guess he meant "rsyslog only have parsers for standard syslog message formats" :-)
Philippe Muller On Thu, Nov 1, 2012 at 9:19 AM, Flavio Oliveira <[email protected]> wrote: > > Hi, > > I used a text file with fields separed for tabs and sent the lines to > rsyslog via UDP. > > What did you mean for "it is not a valid syslog format"? > > //Flavio > > > From: [email protected] > > To: [email protected] > > Date: Wed, 31 Oct 2012 16:38:14 +0000 > > Subject: Re: [rsyslog] Parsing msg > > > > > > > > > -----Original Message----- > > > From: [email protected] [mailto:rsyslog- > > > [email protected]] On Behalf Of Flavio Oliveira > > > Sent: Wednesday, October 31, 2012 2:44 PM > > > To: [email protected] > > > Subject: Re: [rsyslog] Parsing msg > > > > > > > > > Hi, > > > > > > The position based parser worked. However only if I use a imfile module > > > .. if I use a imudp ... something odd happens with the msg when I try > > > to send ... > > > See trace below ... we can see the time "13:56:13" in the received msg > > > and everything goes okay with it until send the message ... > > > > > > 8173.946100404:7f7ca971e700: imudp: epoll_wait() returned with 1 fds > > > 8173.946115431:7f7ca971e700: recv(3,193),acl:1,msg:<190>2012-10-31 > > > 13:56:13 ... > > > > In any case, this is no valid syslog format, so you need to write a > parser for that specific format. > > > > Rainer > > > ... > > > 8173.946129291:7f7ca971e700: main Q: entry added, size now log 1, phys > > > 1 entries > > > 8173.946136184:7f7ca971e700: main Q: EnqueueMsg advised worker start > > > 8173.946144005:7f7ca871c700: wti 0x1898b30: worker awoke from idle > > > processing > > > 8173.946149585:7f7ca871c700: we deleted 0 objects and enqueued 0 > > > objects > > > 8173.946152426:7f7ca871c700: delete batch from store, new sizes: log 1, > > > phys 1 > > > 8173.946157217:7f7ca871c700: msg parser: flags 70, from > > > '~NOTRESOLVED~', msg '<190>2012-10-31 13:56:13 > > > ... > > > > > > 8173.946313962:7f7ca871c700: relp session read 16 octets, buf '30 rsp 6 > > > 200 OK' > > > 8173.946318863:7f7ca871c700: relp engine is dispatching frame with > > > command 'rsp' > > > 8173.946322371:7f7ca871c700: in rsp command handler, txnr 30, code 200, > > > text 'OK' > > > 8173.946325437:7f7ca871c700: DEL sess 0x7f7c98000b60 unacked 0, > > > sessState 4 > > > 8173.946328020:7f7ca871c700: in destructor: sendbuf 0x7f7c98000f40 > > > 8173.946330805:7f7ca871c700: relpSessWaitState returns 0 > > > 8173.946333164:7f7ca871c700: send command relp sess state 4 > > > 8173.946335257:7f7ca871c700: sendcommand ready to send, relp sess state > > > 4 > > > 8173.946339361:7f7ca871c700: frame to send: '31 syslog 236 <190>2012- > > > 10-31T13:56:13.946118+01:00 nvezes-ds1 2012-10-31 13: 56:13 ... > > > ... > > > > > > > > > the msg format is broken .. see the the time now (13: 56:13) ... > > > > > > I noticed that it happens when I use the imudp module ... it doesn't > > > happen with the imfile module. > > > > > > Do you have any idea what caused this behaviour? > > > > > > Very basic conf file used to test: > > > > > > $ModLoad omrelp.so > > > $ModLoad imudp.so > > > $ModLoad imuxsock.so > > > > > > *.* :omrelp:xx.xx.xx.xx:514 > > > > > > $UDPServerRun 514 > > > > > > $EscapeControlCharactersOnReceive off > > > > > > //Flavio > > > > > > > From: [email protected] > > > > To: [email protected] > > > > Date: Tue, 30 Oct 2012 16:39:46 +0000 > > > > Subject: Re: [rsyslog] Parsing msg > > > > > > > > Oops,hit return too quickly... > > > > > >If I need more than one > > > > > > field (Positions 3, 5 and 6), I just need to do something like > > > > > > %msg:F:3:5:6%? > > > > %msg:F:3%%msg:F:5%%msg:F:6% > > > > > > > > Rainer > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com/professional-services/ > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > > > if you DON'T LIKE THAT. > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > > > if you DON'T LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
