> I am using the Apache SyslogAppender to send the log lines via UDP to > the local rsyslog server.
That appender is seriously broken, there have been lots of discussion on this topic --> see mailing list archive. > > log4j.appender.SYSLOG=org.apache.log4j.net.SyslogAppender > log4j.appender.SYSLOG.syslogHost=localhost > log4j.appender.SYSLOG.facility=LOCAL7 > ... > > So what's not standard in that message? I just need to know what's > wrong so I can fix my configuration. Please see: http://www.rsyslog.com/doc/syslog_parsing.html Rainer > > The log line is just plain text with fields separated by tabs. > > /Flavio > > > From: [email protected] > > Date: Thu, 1 Nov 2012 09:31:36 +0100 > > To: [email protected] > > Subject: Re: [rsyslog] Parsing msg > > > > I guess he meant "rsyslog only have parsers for standard syslog > message > > formats" :-) > > > > > > Philippe Muller > > > > > > On Thu, Nov 1, 2012 at 9:19 AM, Flavio Oliveira <[email protected]> > wrote: > > > > > > > > Hi, > > > > > > I used a text file with fields separed for tabs and sent the lines > to > > > rsyslog via UDP. > > > > > > What did you mean for "it is not a valid syslog format"? > > > > > > //Flavio > > > > > > > From: [email protected] > > > > To: [email protected] > > > > Date: Wed, 31 Oct 2012 16:38:14 +0000 > > > > Subject: Re: [rsyslog] Parsing msg > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: [email protected] [mailto:rsyslog- > > > > > [email protected]] On Behalf Of Flavio Oliveira > > > > > Sent: Wednesday, October 31, 2012 2:44 PM > > > > > To: [email protected] > > > > > Subject: Re: [rsyslog] Parsing msg > > > > > > > > > > > > > > > Hi, > > > > > > > > > > The position based parser worked. However only if I use a > imfile module > > > > > .. if I use a imudp ... something odd happens with the msg when > I try > > > > > to send ... > > > > > See trace below ... we can see the time "13:56:13" in the > received msg > > > > > and everything goes okay with it until send the message ... > > > > > > > > > > 8173.946100404:7f7ca971e700: imudp: epoll_wait() returned with > 1 fds > > > > > 8173.946115431:7f7ca971e700: recv(3,193),acl:1,msg:<190>2012- > 10-31 > > > > > 13:56:13 ... > > > > > > > > In any case, this is no valid syslog format, so you need to write > a > > > parser for that specific format. > > > > > > > > Rainer > > > > > ... > > > > > 8173.946129291:7f7ca971e700: main Q: entry added, size now log > 1, phys > > > > > 1 entries > > > > > 8173.946136184:7f7ca971e700: main Q: EnqueueMsg advised worker > start > > > > > 8173.946144005:7f7ca871c700: wti 0x1898b30: worker awoke from > idle > > > > > processing > > > > > 8173.946149585:7f7ca871c700: we deleted 0 objects and enqueued > 0 > > > > > objects > > > > > 8173.946152426:7f7ca871c700: delete batch from store, new > sizes: log 1, > > > > > phys 1 > > > > > 8173.946157217:7f7ca871c700: msg parser: flags 70, from > > > > > '~NOTRESOLVED~', msg '<190>2012-10-31 13:56:13 > > > > > ... > > > > > > > > > > 8173.946313962:7f7ca871c700: relp session read 16 octets, buf > '30 rsp 6 > > > > > 200 OK' > > > > > 8173.946318863:7f7ca871c700: relp engine is dispatching frame > with > > > > > command 'rsp' > > > > > 8173.946322371:7f7ca871c700: in rsp command handler, txnr 30, > code 200, > > > > > text 'OK' > > > > > 8173.946325437:7f7ca871c700: DEL sess 0x7f7c98000b60 unacked 0, > > > > > sessState 4 > > > > > 8173.946328020:7f7ca871c700: in destructor: sendbuf > 0x7f7c98000f40 > > > > > 8173.946330805:7f7ca871c700: relpSessWaitState returns 0 > > > > > 8173.946333164:7f7ca871c700: send command relp sess state 4 > > > > > 8173.946335257:7f7ca871c700: sendcommand ready to send, relp > sess state > > > > > 4 > > > > > 8173.946339361:7f7ca871c700: frame to send: '31 syslog 236 > <190>2012- > > > > > 10-31T13:56:13.946118+01:00 nvezes-ds1 2012-10-31 13: 56:13 > ... > > > > > ... > > > > > > > > > > > > > > > the msg format is broken .. see the the time now (13: 56:13) > ... > > > > > > > > > > I noticed that it happens when I use the imudp module ... it > doesn't > > > > > happen with the imfile module. > > > > > > > > > > Do you have any idea what caused this behaviour? > > > > > > > > > > Very basic conf file used to test: > > > > > > > > > > $ModLoad omrelp.so > > > > > $ModLoad imudp.so > > > > > $ModLoad imuxsock.so > > > > > > > > > > *.* :omrelp:xx.xx.xx.xx:514 > > > > > > > > > > $UDPServerRun 514 > > > > > > > > > > $EscapeControlCharactersOnReceive off > > > > > > > > > > //Flavio > > > > > > > > > > > From: [email protected] > > > > > > To: [email protected] > > > > > > Date: Tue, 30 Oct 2012 16:39:46 +0000 > > > > > > Subject: Re: [rsyslog] Parsing msg > > > > > > > > > > > > Oops,hit return too quickly... > > > > > > > >If I need more than one > > > > > > > > field (Positions 3, 5 and 6), I just need to do something > like > > > > > > > > %msg:F:3:5:6%? > > > > > > %msg:F:3%%msg:F:5%%msg:F:6% > > > > > > > > > > > > Rainer > > > > > > _______________________________________________ > > > > > > rsyslog mailing list > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > http://www.rsyslog.com/professional-services/ > > > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED > by a > > > > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO > NOT POST > > > > > if you DON'T LIKE THAT. > > > > > > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > http://www.rsyslog.com/professional-services/ > > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by > a > > > > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO > NOT POST > > > > > if you DON'T LIKE THAT. > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com/professional-services/ > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > you > > > DON'T LIKE THAT. > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > you > > > DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if you DON'T LIKE THAT. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
