> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of [email protected] > Sent: Friday, November 02, 2012 12:59 AM > To: rsyslog-users > Subject: Re: [rsyslog] Parsing msg > > On Thu, 1 Nov 2012, Philippe Muller wrote: > > > Proper stack trace handling is very interesting ! > > > > "Note that the code has never been used in practice by us, so there > may be > > some risk associated" > > > > Did someone use it in production since it was released ? > > I've seen several comments about people using it on the list since it > was > released (which was quite a while ago)
I think I have recently seen someone telling about problems, even with a fix. But I can't dig out where. Will try to find it today... Rainer > > David Lang > > > Philippe Muller > > > > > > On Thu, Nov 1, 2012 at 6:48 PM, <[email protected]> wrote: > > > >> On Thu, 1 Nov 2012, Rainer Gerhards wrote: > >> > >> I am using the Apache SyslogAppender to send the log lines via UDP > to > >>>> the local rsyslog server. > >>>> > >>> > >>> That appender is seriously broken, there have been lots of > discussion on > >>> this topic --> see mailing list archive. > >>> > >> > >> see > http://www.rsyslog.com/tag/**log4j/<http://www.rsyslog.com/tag/log4j/>f > or a replacement that talks TCP, but works much better. > >> > >> David Lang > >> > >> > >> > >> > >>>> log4j.appender.SYSLOG=org.**apache.log4j.net.**SyslogAppender > >>>> log4j.appender.SYSLOG.**syslogHost=localhost > >>>> log4j.appender.SYSLOG.**facility=LOCAL7 > >>>> ... > >>>> > >>>> So what's not standard in that message? I just need to know what's > >>>> wrong so I can fix my configuration. > >>>> > >>> > >>> Please see: > http://www.rsyslog.com/doc/**syslog_parsing.html<http://www.rsyslog.com > /doc/syslog_parsing.html> > >>> > >>> Rainer > >>> > >>>> > >>>> The log line is just plain text with fields separated by tabs. > >>>> > >>>> /Flavio > >>>> > >>>> From: [email protected] > >>>>> Date: Thu, 1 Nov 2012 09:31:36 +0100 > >>>>> To: [email protected] > >>>>> Subject: Re: [rsyslog] Parsing msg > >>>>> > >>>>> I guess he meant "rsyslog only have parsers for standard syslog > >>>>> > >>>> message > >>>> > >>>>> formats" :-) > >>>>> > >>>>> > >>>>> Philippe Muller > >>>>> > >>>>> > >>>>> On Thu, Nov 1, 2012 at 9:19 AM, Flavio Oliveira <[email protected]> > >>>>> > >>>> wrote: > >>>> > >>>>> > >>>>> > >>>>>> Hi, > >>>>>> > >>>>>> I used a text file with fields separed for tabs and sent the > lines > >>>>>> > >>>>> to > >>>> > >>>>> rsyslog via UDP. > >>>>>> > >>>>>> What did you mean for "it is not a valid syslog format"? > >>>>>> > >>>>>> //Flavio > >>>>>> > >>>>>> From: [email protected] > >>>>>>> To: [email protected] > >>>>>>> Date: Wed, 31 Oct 2012 16:38:14 +0000 > >>>>>>> Subject: Re: [rsyslog] Parsing msg > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> -----Original Message----- > >>>>>>>> From: [email protected].**com<rsyslog- > [email protected]>[mailto: > >>>>>>>> rsyslog- > >>>>>>>> [email protected]] On Behalf Of Flavio Oliveira > >>>>>>>> Sent: Wednesday, October 31, 2012 2:44 PM > >>>>>>>> To: [email protected] > >>>>>>>> Subject: Re: [rsyslog] Parsing msg > >>>>>>>> > >>>>>>>> > >>>>>>>> Hi, > >>>>>>>> > >>>>>>>> The position based parser worked. However only if I use a > >>>>>>>> > >>>>>>> imfile module > >>>> > >>>>> .. if I use a imudp ... something odd happens with the msg when > >>>>>>>> > >>>>>>> I try > >>>> > >>>>> to send ... > >>>>>>>> See trace below ... we can see the time "13:56:13" in the > >>>>>>>> > >>>>>>> received msg > >>>> > >>>>> and everything goes okay with it until send the message ... > >>>>>>>> > >>>>>>>> 8173.946100404:7f7ca971e700: imudp: epoll_wait() returned with > >>>>>>>> > >>>>>>> 1 fds > >>>> > >>>>> 8173.946115431:7f7ca971e700: recv(3,193),acl:1,msg:<190>**2012- > >>>>>>>> > >>>>>>> 10-31 > >>>> > >>>>> 13:56:13 ... > >>>>>>>> > >>>>>>> > >>>>>>> In any case, this is no valid syslog format, so you need to > write > >>>>>>> > >>>>>> a > >>>> > >>>>> parser for that specific format. > >>>>>> > >>>>>>> > >>>>>>> Rainer > >>>>>>> > >>>>>>>> ... > >>>>>>>> 8173.946129291:7f7ca971e700: main Q: entry added, size now log > >>>>>>>> > >>>>>>> 1, phys > >>>> > >>>>> 1 entries > >>>>>>>> 8173.946136184:7f7ca971e700: main Q: EnqueueMsg advised worker > >>>>>>>> > >>>>>>> start > >>>> > >>>>> 8173.946144005:7f7ca871c700: wti 0x1898b30: worker awoke from > >>>>>>>> > >>>>>>> idle > >>>> > >>>>> processing > >>>>>>>> 8173.946149585:7f7ca871c700: we deleted 0 objects and enqueued > >>>>>>>> > >>>>>>> 0 > >>>> > >>>>> objects > >>>>>>>> 8173.946152426:7f7ca871c700: delete batch from store, new > >>>>>>>> > >>>>>>> sizes: log 1, > >>>> > >>>>> phys 1 > >>>>>>>> 8173.946157217:7f7ca871c700: msg parser: flags 70, from > >>>>>>>> '~NOTRESOLVED~', msg '<190>2012-10-31 13:56:13 > >>>>>>>> ... > >>>>>>>> > >>>>>>>> 8173.946313962:7f7ca871c700: relp session read 16 octets, buf > >>>>>>>> > >>>>>>> '30 rsp 6 > >>>> > >>>>> 200 OK' > >>>>>>>> 8173.946318863:7f7ca871c700: relp engine is dispatching frame > >>>>>>>> > >>>>>>> with > >>>> > >>>>> command 'rsp' > >>>>>>>> 8173.946322371:7f7ca871c700: in rsp command handler, txnr 30, > >>>>>>>> > >>>>>>> code 200, > >>>> > >>>>> text 'OK' > >>>>>>>> 8173.946325437:7f7ca871c700: DEL sess 0x7f7c98000b60 unacked > 0, > >>>>>>>> sessState 4 > >>>>>>>> 8173.946328020:7f7ca871c700: in destructor: sendbuf > >>>>>>>> > >>>>>>> 0x7f7c98000f40 > >>>> > >>>>> 8173.946330805:7f7ca871c700: relpSessWaitState returns 0 > >>>>>>>> 8173.946333164:7f7ca871c700: send command relp sess state 4 > >>>>>>>> 8173.946335257:7f7ca871c700: sendcommand ready to send, relp > >>>>>>>> > >>>>>>> sess state > >>>> > >>>>> 4 > >>>>>>>> 8173.946339361:7f7ca871c700: frame to send: '31 syslog 236 > >>>>>>>> > >>>>>>> <190>2012- > >>>> > >>>>> 10-31T13:56:13.946118+01:00 nvezes-ds1 2012-10-31 13: 56:13 > >>>>>>>> > >>>>>>> ... > >>>> > >>>>> ... > >>>>>>>> > >>>>>>>> > >>>>>>>> the msg format is broken .. see the the time now (13: 56:13) > >>>>>>>> > >>>>>>> ... > >>>> > >>>>> > >>>>>>>> I noticed that it happens when I use the imudp module ... it > >>>>>>>> > >>>>>>> doesn't > >>>> > >>>>> happen with the imfile module. > >>>>>>>> > >>>>>>>> Do you have any idea what caused this behaviour? > >>>>>>>> > >>>>>>>> Very basic conf file used to test: > >>>>>>>> > >>>>>>>> $ModLoad omrelp.so > >>>>>>>> $ModLoad imudp.so > >>>>>>>> $ModLoad imuxsock.so > >>>>>>>> > >>>>>>>> *.* :omrelp:xx.xx.xx.xx:514 > >>>>>>>> > >>>>>>>> $UDPServerRun 514 > >>>>>>>> > >>>>>>>> $**EscapeControlCharactersOnRecei**ve off > >>>>>>>> > >>>>>>>> //Flavio > >>>>>>>> > >>>>>>>> From: [email protected] > >>>>>>>>> To: [email protected] > >>>>>>>>> Date: Tue, 30 Oct 2012 16:39:46 +0000 > >>>>>>>>> Subject: Re: [rsyslog] Parsing msg > >>>>>>>>> > >>>>>>>>> Oops,hit return too quickly... > >>>>>>>>> > >>>>>>>>>> If I need more than one > >>>>>>>>>>> field (Positions 3, 5 and 6), I just need to do something > >>>>>>>>>>> > >>>>>>>>>> like > >>>> > >>>>> %msg:F:3:5:6%? > >>>>>>>>>>> > >>>>>>>>>> %msg:F:3%%msg:F:5%%msg:F:6% > >>>>>>>>> > >>>>>>>>> Rainer > >>>>>>>>> ______________________________**_________________ > >>>>>>>>> rsyslog mailing list > >>>>>>>>> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > n.net/mailman/listinfo/rsyslog> > >>>>>>>>> http://www.rsyslog.com/**professional- > services/<http://www.rsyslog.com/professional-services/> > >>>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED > >>>>>>>>> > >>>>>>>> by a > >>>> > >>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO > >>>>>>>> > >>>>>>> NOT POST > >>>> > >>>>> if you DON'T LIKE THAT. > >>>>>>>> > >>>>>>>> ______________________________**_________________ > >>>>>>>> rsyslog mailing list > >>>>>>>> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > n.net/mailman/listinfo/rsyslog> > >>>>>>>> http://www.rsyslog.com/**professional- > services/<http://www.rsyslog.com/professional-services/> > >>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED > by > >>>>>>>> > >>>>>>> a > >>>> > >>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO > >>>>>>>> > >>>>>>> NOT POST > >>>> > >>>>> if you DON'T LIKE THAT. > >>>>>>>> > >>>>>>> ______________________________**_________________ > >>>>>>> rsyslog mailing list > >>>>>>> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > n.net/mailman/listinfo/rsyslog> > >>>>>>> http://www.rsyslog.com/**professional- > services/<http://www.rsyslog.com/professional-services/> > >>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by > a > >>>>>>> > >>>>>> myriad > >>>> > >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if > >>>>>> > >>>>> you > >>>> > >>>>> DON'T LIKE THAT. > >>>>>> > >>>>>> ______________________________**_________________ > >>>>>> rsyslog mailing list > >>>>>> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > n.net/mailman/listinfo/rsyslog> > >>>>>> http://www.rsyslog.com/**professional- > services/<http://www.rsyslog.com/professional-services/> > >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by > a > >>>>>> > >>>>> myriad > >>>> > >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if > >>>>>> > >>>>> you > >>>> > >>>>> DON'T LIKE THAT. > >>>>>> > >>>>>> ______________________________**_________________ > >>>>> rsyslog mailing list > >>>>> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > n.net/mailman/listinfo/rsyslog> > >>>>> http://www.rsyslog.com/**professional- > services/<http://www.rsyslog.com/professional-services/> > >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > >>>>> > >>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > POST > >>>> if you DON'T LIKE THAT. > >>>> > >>>> ______________________________**_________________ > >>>> rsyslog mailing list > >>>> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > n.net/mailman/listinfo/rsyslog> > >>>> http://www.rsyslog.com/**professional- > services/<http://www.rsyslog.com/professional-services/> > >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > >>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > POST > >>>> if you DON'T LIKE THAT. > >>>> > >>> ______________________________**_________________ > >>> rsyslog mailing list > >>> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > n.net/mailman/listinfo/rsyslog> > >>> http://www.rsyslog.com/**professional- > services/<http://www.rsyslog.com/professional-services/> > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > you > >>> DON'T LIKE THAT. > >>> > >>> ______________________________**_________________ > >> rsyslog mailing list > >> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > n.net/mailman/listinfo/rsyslog> > >> http://www.rsyslog.com/**professional- > services/<http://www.rsyslog.com/professional-services/> > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > you > >> DON'T LIKE THAT. > >> > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if you DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
