Proper stack trace handling is very interesting ! "Note that the code has never been used in practice by us, so there may be some risk associated"
Did someone use it in production since it was released ? Philippe Muller On Thu, Nov 1, 2012 at 6:48 PM, <[email protected]> wrote: > On Thu, 1 Nov 2012, Rainer Gerhards wrote: > > I am using the Apache SyslogAppender to send the log lines via UDP to >>> the local rsyslog server. >>> >> >> That appender is seriously broken, there have been lots of discussion on >> this topic --> see mailing list archive. >> > > see http://www.rsyslog.com/tag/**log4j/<http://www.rsyslog.com/tag/log4j/>for > a replacement that talks TCP, but works much better. > > David Lang > > > > >>> log4j.appender.SYSLOG=org.**apache.log4j.net.**SyslogAppender >>> log4j.appender.SYSLOG.**syslogHost=localhost >>> log4j.appender.SYSLOG.**facility=LOCAL7 >>> ... >>> >>> So what's not standard in that message? I just need to know what's >>> wrong so I can fix my configuration. >>> >> >> Please see: >> http://www.rsyslog.com/doc/**syslog_parsing.html<http://www.rsyslog.com/doc/syslog_parsing.html> >> >> Rainer >> >>> >>> The log line is just plain text with fields separated by tabs. >>> >>> /Flavio >>> >>> From: [email protected] >>>> Date: Thu, 1 Nov 2012 09:31:36 +0100 >>>> To: [email protected] >>>> Subject: Re: [rsyslog] Parsing msg >>>> >>>> I guess he meant "rsyslog only have parsers for standard syslog >>>> >>> message >>> >>>> formats" :-) >>>> >>>> >>>> Philippe Muller >>>> >>>> >>>> On Thu, Nov 1, 2012 at 9:19 AM, Flavio Oliveira <[email protected]> >>>> >>> wrote: >>> >>>> >>>> >>>>> Hi, >>>>> >>>>> I used a text file with fields separed for tabs and sent the lines >>>>> >>>> to >>> >>>> rsyslog via UDP. >>>>> >>>>> What did you mean for "it is not a valid syslog format"? >>>>> >>>>> //Flavio >>>>> >>>>> From: [email protected] >>>>>> To: [email protected] >>>>>> Date: Wed, 31 Oct 2012 16:38:14 +0000 >>>>>> Subject: Re: [rsyslog] Parsing msg >>>>>> >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>>> From: >>>>>>> [email protected].**com<[email protected]>[mailto: >>>>>>> rsyslog- >>>>>>> [email protected]] On Behalf Of Flavio Oliveira >>>>>>> Sent: Wednesday, October 31, 2012 2:44 PM >>>>>>> To: [email protected] >>>>>>> Subject: Re: [rsyslog] Parsing msg >>>>>>> >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> The position based parser worked. However only if I use a >>>>>>> >>>>>> imfile module >>> >>>> .. if I use a imudp ... something odd happens with the msg when >>>>>>> >>>>>> I try >>> >>>> to send ... >>>>>>> See trace below ... we can see the time "13:56:13" in the >>>>>>> >>>>>> received msg >>> >>>> and everything goes okay with it until send the message ... >>>>>>> >>>>>>> 8173.946100404:7f7ca971e700: imudp: epoll_wait() returned with >>>>>>> >>>>>> 1 fds >>> >>>> 8173.946115431:7f7ca971e700: recv(3,193),acl:1,msg:<190>**2012- >>>>>>> >>>>>> 10-31 >>> >>>> 13:56:13 ... >>>>>>> >>>>>> >>>>>> In any case, this is no valid syslog format, so you need to write >>>>>> >>>>> a >>> >>>> parser for that specific format. >>>>> >>>>>> >>>>>> Rainer >>>>>> >>>>>>> ... >>>>>>> 8173.946129291:7f7ca971e700: main Q: entry added, size now log >>>>>>> >>>>>> 1, phys >>> >>>> 1 entries >>>>>>> 8173.946136184:7f7ca971e700: main Q: EnqueueMsg advised worker >>>>>>> >>>>>> start >>> >>>> 8173.946144005:7f7ca871c700: wti 0x1898b30: worker awoke from >>>>>>> >>>>>> idle >>> >>>> processing >>>>>>> 8173.946149585:7f7ca871c700: we deleted 0 objects and enqueued >>>>>>> >>>>>> 0 >>> >>>> objects >>>>>>> 8173.946152426:7f7ca871c700: delete batch from store, new >>>>>>> >>>>>> sizes: log 1, >>> >>>> phys 1 >>>>>>> 8173.946157217:7f7ca871c700: msg parser: flags 70, from >>>>>>> '~NOTRESOLVED~', msg '<190>2012-10-31 13:56:13 >>>>>>> ... >>>>>>> >>>>>>> 8173.946313962:7f7ca871c700: relp session read 16 octets, buf >>>>>>> >>>>>> '30 rsp 6 >>> >>>> 200 OK' >>>>>>> 8173.946318863:7f7ca871c700: relp engine is dispatching frame >>>>>>> >>>>>> with >>> >>>> command 'rsp' >>>>>>> 8173.946322371:7f7ca871c700: in rsp command handler, txnr 30, >>>>>>> >>>>>> code 200, >>> >>>> text 'OK' >>>>>>> 8173.946325437:7f7ca871c700: DEL sess 0x7f7c98000b60 unacked 0, >>>>>>> sessState 4 >>>>>>> 8173.946328020:7f7ca871c700: in destructor: sendbuf >>>>>>> >>>>>> 0x7f7c98000f40 >>> >>>> 8173.946330805:7f7ca871c700: relpSessWaitState returns 0 >>>>>>> 8173.946333164:7f7ca871c700: send command relp sess state 4 >>>>>>> 8173.946335257:7f7ca871c700: sendcommand ready to send, relp >>>>>>> >>>>>> sess state >>> >>>> 4 >>>>>>> 8173.946339361:7f7ca871c700: frame to send: '31 syslog 236 >>>>>>> >>>>>> <190>2012- >>> >>>> 10-31T13:56:13.946118+01:00 nvezes-ds1 2012-10-31 13: 56:13 >>>>>>> >>>>>> ... >>> >>>> ... >>>>>>> >>>>>>> >>>>>>> the msg format is broken .. see the the time now (13: 56:13) >>>>>>> >>>>>> ... >>> >>>> >>>>>>> I noticed that it happens when I use the imudp module ... it >>>>>>> >>>>>> doesn't >>> >>>> happen with the imfile module. >>>>>>> >>>>>>> Do you have any idea what caused this behaviour? >>>>>>> >>>>>>> Very basic conf file used to test: >>>>>>> >>>>>>> $ModLoad omrelp.so >>>>>>> $ModLoad imudp.so >>>>>>> $ModLoad imuxsock.so >>>>>>> >>>>>>> *.* :omrelp:xx.xx.xx.xx:514 >>>>>>> >>>>>>> $UDPServerRun 514 >>>>>>> >>>>>>> $**EscapeControlCharactersOnRecei**ve off >>>>>>> >>>>>>> //Flavio >>>>>>> >>>>>>> From: [email protected] >>>>>>>> To: [email protected] >>>>>>>> Date: Tue, 30 Oct 2012 16:39:46 +0000 >>>>>>>> Subject: Re: [rsyslog] Parsing msg >>>>>>>> >>>>>>>> Oops,hit return too quickly... >>>>>>>> >>>>>>>>> If I need more than one >>>>>>>>>> field (Positions 3, 5 and 6), I just need to do something >>>>>>>>>> >>>>>>>>> like >>> >>>> %msg:F:3:5:6%? >>>>>>>>>> >>>>>>>>> %msg:F:3%%msg:F:5%%msg:F:6% >>>>>>>> >>>>>>>> Rainer >>>>>>>> ______________________________**_________________ >>>>>>>> rsyslog mailing list >>>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >>>>>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED >>>>>>>> >>>>>>> by a >>> >>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO >>>>>>> >>>>>> NOT POST >>> >>>> if you DON'T LIKE THAT. >>>>>>> >>>>>>> ______________________________**_________________ >>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >>>>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by >>>>>>> >>>>>> a >>> >>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO >>>>>>> >>>>>> NOT POST >>> >>>> if you DON'T LIKE THAT. >>>>>>> >>>>>> ______________________________**_________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >>>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>>>> >>>>> myriad >>> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if >>>>> >>>> you >>> >>>> DON'T LIKE THAT. >>>>> >>>>> ______________________________**_________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>>> >>>> myriad >>> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if >>>>> >>>> you >>> >>>> DON'T LIKE THAT. >>>>> >>>>> ______________________________**_________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>> >>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST >>> if you DON'T LIKE THAT. >>> >>> ______________________________**_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST >>> if you DON'T LIKE THAT. >>> >> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> > http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
