> > > Proper stack trace handling is very interesting ! > > > > > > "Note that the code has never been used in practice by us, so there > > may be > > > some risk associated" > > > > > > Did someone use it in production since it was released ? > > > > I've seen several comments about people using it on the list since it > > was > > released (which was quite a while ago) > > I think I have recently seen someone telling about problems, even with > a fix. But I can't dig out where. Will try to find it today...
Already got it: http://neopatel.blogspot.de/2012/10/log4j-tcp-syslogappender.html Rainer > Rainer > > > > David Lang > > > > > Philippe Muller > > > > > > > > > On Thu, Nov 1, 2012 at 6:48 PM, <[email protected]> wrote: > > > > > >> On Thu, 1 Nov 2012, Rainer Gerhards wrote: > > >> > > >> I am using the Apache SyslogAppender to send the log lines via > UDP > > to > > >>>> the local rsyslog server. > > >>>> > > >>> > > >>> That appender is seriously broken, there have been lots of > > discussion on > > >>> this topic --> see mailing list archive. > > >>> > > >> > > >> see > > > http://www.rsyslog.com/tag/**log4j/<http://www.rsyslog.com/tag/log4j/>f > > or a replacement that talks TCP, but works much better. > > >> > > >> David Lang > > >> > > >> > > >> > > >> > > >>>> log4j.appender.SYSLOG=org.**apache.log4j.net.**SyslogAppender > > >>>> log4j.appender.SYSLOG.**syslogHost=localhost > > >>>> log4j.appender.SYSLOG.**facility=LOCAL7 > > >>>> ... > > >>>> > > >>>> So what's not standard in that message? I just need to know > what's > > >>>> wrong so I can fix my configuration. > > >>>> > > >>> > > >>> Please see: > > > http://www.rsyslog.com/doc/**syslog_parsing.html<http://www.rsyslog.com > > /doc/syslog_parsing.html> > > >>> > > >>> Rainer > > >>> > > >>>> > > >>>> The log line is just plain text with fields separated by tabs. > > >>>> > > >>>> /Flavio > > >>>> > > >>>> From: [email protected] > > >>>>> Date: Thu, 1 Nov 2012 09:31:36 +0100 > > >>>>> To: [email protected] > > >>>>> Subject: Re: [rsyslog] Parsing msg > > >>>>> > > >>>>> I guess he meant "rsyslog only have parsers for standard syslog > > >>>>> > > >>>> message > > >>>> > > >>>>> formats" :-) > > >>>>> > > >>>>> > > >>>>> Philippe Muller > > >>>>> > > >>>>> > > >>>>> On Thu, Nov 1, 2012 at 9:19 AM, Flavio Oliveira > <[email protected]> > > >>>>> > > >>>> wrote: > > >>>> > > >>>>> > > >>>>> > > >>>>>> Hi, > > >>>>>> > > >>>>>> I used a text file with fields separed for tabs and sent the > > lines > > >>>>>> > > >>>>> to > > >>>> > > >>>>> rsyslog via UDP. > > >>>>>> > > >>>>>> What did you mean for "it is not a valid syslog format"? > > >>>>>> > > >>>>>> //Flavio > > >>>>>> > > >>>>>> From: [email protected] > > >>>>>>> To: [email protected] > > >>>>>>> Date: Wed, 31 Oct 2012 16:38:14 +0000 > > >>>>>>> Subject: Re: [rsyslog] Parsing msg > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> -----Original Message----- > > >>>>>>>> From: [email protected].**com<rsyslog- > > [email protected]>[mailto: > > >>>>>>>> rsyslog- > > >>>>>>>> [email protected]] On Behalf Of Flavio Oliveira > > >>>>>>>> Sent: Wednesday, October 31, 2012 2:44 PM > > >>>>>>>> To: [email protected] > > >>>>>>>> Subject: Re: [rsyslog] Parsing msg > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> Hi, > > >>>>>>>> > > >>>>>>>> The position based parser worked. However only if I use a > > >>>>>>>> > > >>>>>>> imfile module > > >>>> > > >>>>> .. if I use a imudp ... something odd happens with the msg > when > > >>>>>>>> > > >>>>>>> I try > > >>>> > > >>>>> to send ... > > >>>>>>>> See trace below ... we can see the time "13:56:13" in the > > >>>>>>>> > > >>>>>>> received msg > > >>>> > > >>>>> and everything goes okay with it until send the message ... > > >>>>>>>> > > >>>>>>>> 8173.946100404:7f7ca971e700: imudp: epoll_wait() returned > with > > >>>>>>>> > > >>>>>>> 1 fds > > >>>> > > >>>>> 8173.946115431:7f7ca971e700: > recv(3,193),acl:1,msg:<190>**2012- > > >>>>>>>> > > >>>>>>> 10-31 > > >>>> > > >>>>> 13:56:13 ... > > >>>>>>>> > > >>>>>>> > > >>>>>>> In any case, this is no valid syslog format, so you need to > > write > > >>>>>>> > > >>>>>> a > > >>>> > > >>>>> parser for that specific format. > > >>>>>> > > >>>>>>> > > >>>>>>> Rainer > > >>>>>>> > > >>>>>>>> ... > > >>>>>>>> 8173.946129291:7f7ca971e700: main Q: entry added, size now > log > > >>>>>>>> > > >>>>>>> 1, phys > > >>>> > > >>>>> 1 entries > > >>>>>>>> 8173.946136184:7f7ca971e700: main Q: EnqueueMsg advised > worker > > >>>>>>>> > > >>>>>>> start > > >>>> > > >>>>> 8173.946144005:7f7ca871c700: wti 0x1898b30: worker awoke from > > >>>>>>>> > > >>>>>>> idle > > >>>> > > >>>>> processing > > >>>>>>>> 8173.946149585:7f7ca871c700: we deleted 0 objects and > enqueued > > >>>>>>>> > > >>>>>>> 0 > > >>>> > > >>>>> objects > > >>>>>>>> 8173.946152426:7f7ca871c700: delete batch from store, new > > >>>>>>>> > > >>>>>>> sizes: log 1, > > >>>> > > >>>>> phys 1 > > >>>>>>>> 8173.946157217:7f7ca871c700: msg parser: flags 70, from > > >>>>>>>> '~NOTRESOLVED~', msg '<190>2012-10-31 13:56:13 > > >>>>>>>> ... > > >>>>>>>> > > >>>>>>>> 8173.946313962:7f7ca871c700: relp session read 16 octets, > buf > > >>>>>>>> > > >>>>>>> '30 rsp 6 > > >>>> > > >>>>> 200 OK' > > >>>>>>>> 8173.946318863:7f7ca871c700: relp engine is dispatching > frame > > >>>>>>>> > > >>>>>>> with > > >>>> > > >>>>> command 'rsp' > > >>>>>>>> 8173.946322371:7f7ca871c700: in rsp command handler, txnr > 30, > > >>>>>>>> > > >>>>>>> code 200, > > >>>> > > >>>>> text 'OK' > > >>>>>>>> 8173.946325437:7f7ca871c700: DEL sess 0x7f7c98000b60 unacked > > 0, > > >>>>>>>> sessState 4 > > >>>>>>>> 8173.946328020:7f7ca871c700: in destructor: sendbuf > > >>>>>>>> > > >>>>>>> 0x7f7c98000f40 > > >>>> > > >>>>> 8173.946330805:7f7ca871c700: relpSessWaitState returns 0 > > >>>>>>>> 8173.946333164:7f7ca871c700: send command relp sess state 4 > > >>>>>>>> 8173.946335257:7f7ca871c700: sendcommand ready to send, relp > > >>>>>>>> > > >>>>>>> sess state > > >>>> > > >>>>> 4 > > >>>>>>>> 8173.946339361:7f7ca871c700: frame to send: '31 syslog 236 > > >>>>>>>> > > >>>>>>> <190>2012- > > >>>> > > >>>>> 10-31T13:56:13.946118+01:00 nvezes-ds1 2012-10-31 13: 56:13 > > >>>>>>>> > > >>>>>>> ... > > >>>> > > >>>>> ... > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> the msg format is broken .. see the the time now (13: 56:13) > > >>>>>>>> > > >>>>>>> ... > > >>>> > > >>>>> > > >>>>>>>> I noticed that it happens when I use the imudp module ... it > > >>>>>>>> > > >>>>>>> doesn't > > >>>> > > >>>>> happen with the imfile module. > > >>>>>>>> > > >>>>>>>> Do you have any idea what caused this behaviour? > > >>>>>>>> > > >>>>>>>> Very basic conf file used to test: > > >>>>>>>> > > >>>>>>>> $ModLoad omrelp.so > > >>>>>>>> $ModLoad imudp.so > > >>>>>>>> $ModLoad imuxsock.so > > >>>>>>>> > > >>>>>>>> *.* :omrelp:xx.xx.xx.xx:514 > > >>>>>>>> > > >>>>>>>> $UDPServerRun 514 > > >>>>>>>> > > >>>>>>>> $**EscapeControlCharactersOnRecei**ve off > > >>>>>>>> > > >>>>>>>> //Flavio > > >>>>>>>> > > >>>>>>>> From: [email protected] > > >>>>>>>>> To: [email protected] > > >>>>>>>>> Date: Tue, 30 Oct 2012 16:39:46 +0000 > > >>>>>>>>> Subject: Re: [rsyslog] Parsing msg > > >>>>>>>>> > > >>>>>>>>> Oops,hit return too quickly... > > >>>>>>>>> > > >>>>>>>>>> If I need more than one > > >>>>>>>>>>> field (Positions 3, 5 and 6), I just need to do something > > >>>>>>>>>>> > > >>>>>>>>>> like > > >>>> > > >>>>> %msg:F:3:5:6%? > > >>>>>>>>>>> > > >>>>>>>>>> %msg:F:3%%msg:F:5%%msg:F:6% > > >>>>>>>>> > > >>>>>>>>> Rainer > > >>>>>>>>> ______________________________**_________________ > > >>>>>>>>> rsyslog mailing list > > >>>>>>>>> > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > > n.net/mailman/listinfo/rsyslog> > > >>>>>>>>> http://www.rsyslog.com/**professional- > > services/<http://www.rsyslog.com/professional-services/> > > >>>>>>>>> What's up with rsyslog? Follow > https://twitter.com/rgerhards > > >>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are > ARCHIVED > > >>>>>>>>> > > >>>>>>>> by a > > >>>> > > >>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO > > >>>>>>>> > > >>>>>>> NOT POST > > >>>> > > >>>>> if you DON'T LIKE THAT. > > >>>>>>>> > > >>>>>>>> ______________________________**_________________ > > >>>>>>>> rsyslog mailing list > > >>>>>>>> > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > > n.net/mailman/listinfo/rsyslog> > > >>>>>>>> http://www.rsyslog.com/**professional- > > services/<http://www.rsyslog.com/professional-services/> > > >>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > > >>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED > > by > > >>>>>>>> > > >>>>>>> a > > >>>> > > >>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO > > >>>>>>>> > > >>>>>>> NOT POST > > >>>> > > >>>>> if you DON'T LIKE THAT. > > >>>>>>>> > > >>>>>>> ______________________________**_________________ > > >>>>>>> rsyslog mailing list > > >>>>>>> > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > > n.net/mailman/listinfo/rsyslog> > > >>>>>>> http://www.rsyslog.com/**professional- > > services/<http://www.rsyslog.com/professional-services/> > > >>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > > >>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED > by > > a > > >>>>>>> > > >>>>>> myriad > > >>>> > > >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > > if > > >>>>>> > > >>>>> you > > >>>> > > >>>>> DON'T LIKE THAT. > > >>>>>> > > >>>>>> ______________________________**_________________ > > >>>>>> rsyslog mailing list > > >>>>>> > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > > n.net/mailman/listinfo/rsyslog> > > >>>>>> http://www.rsyslog.com/**professional- > > services/<http://www.rsyslog.com/professional-services/> > > >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > > >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED > by > > a > > >>>>>> > > >>>>> myriad > > >>>> > > >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > > if > > >>>>>> > > >>>>> you > > >>>> > > >>>>> DON'T LIKE THAT. > > >>>>>> > > >>>>>> ______________________________**_________________ > > >>>>> rsyslog mailing list > > >>>>> > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > > n.net/mailman/listinfo/rsyslog> > > >>>>> http://www.rsyslog.com/**professional- > > services/<http://www.rsyslog.com/professional-services/> > > >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > > >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by > a > > >>>>> > > >>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO > NOT > > POST > > >>>> if you DON'T LIKE THAT. > > >>>> > > >>>> ______________________________**_________________ > > >>>> rsyslog mailing list > > >>>> > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > > n.net/mailman/listinfo/rsyslog> > > >>>> http://www.rsyslog.com/**professional- > > services/<http://www.rsyslog.com/professional-services/> > > >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > > >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by > a > > >>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO > NOT > > POST > > >>>> if you DON'T LIKE THAT. > > >>>> > > >>> ______________________________**_________________ > > >>> rsyslog mailing list > > >>> > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > > n.net/mailman/listinfo/rsyslog> > > >>> http://www.rsyslog.com/**professional- > > services/<http://www.rsyslog.com/professional-services/> > > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards > > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad > > >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if > > you > > >>> DON'T LIKE THAT. > > >>> > > >>> ______________________________**_________________ > > >> rsyslog mailing list > > >> > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > > n.net/mailman/listinfo/rsyslog> > > >> http://www.rsyslog.com/**professional- > > services/<http://www.rsyslog.com/professional-services/> > > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad > > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > you > > >> DON'T LIKE THAT. > > >> > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > POST > > if you DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > POST > > if you DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
