For "sshd" syslogtag, here is what the debug log lines look like:
inputname: imudp rawmsg: '<87>Mar 04 18:39:18 10.0.188.226 sshd[24647]: pam_unix(sshd:account): expired password for user joe (password aged)' msg: ' sshd[24647]: pam_unix(sshd:session): session opened for user joe by (uid=0)' escaped msg: ' sshd[24647]: pam_unix(sshd:session): session opened for user joe by (uid=0)' inputname: imudp rawmsg: '<86>Mar 04 18:39:18 10.0.188.226 sshd[24647]: pam_unix(sshd:session): session opened for user joe by (uid=0)' msg: ' sshd[24647]: pam_unix(sshd:session): session closed for user joe' escaped msg: ' sshd[24647]: pam_unix(sshd:session): session closed for user joe' inputname: imudp rawmsg: '<86>Mar 04 18:39:18 10.0.188.226 sshd[24647]: pam_unix(sshd:session): session closed for user joe' msg: ' sshd[24651]: pam_unix(sshd:account): expired password for user joe (password aged)' escaped msg: ' sshd[24651]: pam_unix(sshd:account): expired password for user joe (password aged)' inputname: imudp rawmsg: '<87>Mar 04 18:39:23 10.0.188.226 sshd[24651]: pam_unix(sshd:account): expired password for user joe (password aged)' msg: ' sshd[24651]: pam_unix(sshd:session): session opened for user joe by (uid=0)' escaped msg: ' sshd[24651]: pam_unix(sshd:session): session opened for user joe by (uid=0)' inputname: imudp rawmsg: '<86>Mar 04 18:39:23 10.0.188.226 sshd[24651]: pam_unix(sshd:session): session opened for user joe by (uid=0)' msg: ' sshd[24651]: pam_unix(sshd:session): session closed for user joe' escaped msg: ' sshd[24651]: pam_unix(sshd:session): session closed for user joe' Logging with RSyslog_FileFormat: 2014-03-04T19:03:50+00:00 10.0.188.226 sshd[7099]: pam_unix(sshd:account): expired password for user joe (password aged) 2014-03-04T19:03:50+00:00 10.0.188.226 sshd[7099]: pam_unix(sshd:session): session opened for user joe by (uid=0) 2014-03-04T19:03:50+00:00 10.0.188.226 sshd[7099]: pam_unix(sshd:session): session closed for user joe Looking at the tcpdump of packets coming from the Windows RSyslog agent, actually looks like it is the Windows agent inserting an extra space between hostname and syslogtag: $ sudo tcpdump -i eth0 -nnn -c 50000 -A udp port 514 | grep sshd tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ."......}.g<86>Mar 04 19:06:02 10.1.42.22 sshd[26968]: pam_unix(sshd:session): session opened for user joe by (uid=0) ."......r..<86>Mar 04 19:06:02 10.1.42.22 sshd[26968]: pam_unix(sshd:session): session closed for user joe On Tue, Mar 4, 2014 at 9:08 AM, Rainer Gerhards <[email protected]> wrote: > If I remember correctly, underscore is not a valid character in a syslog > tag, so the parser terminates the tag here. The debug format will show. > > Sent from phone, thus brief. > Am 04.03.2014 14:07 schrieb "Radu Gheorghe" <[email protected]>: > >> Hi Xuri, >> >> Maybe others know better, but can you try RSYSLOG_DebugFormat, so see >> which text lands in which variable? Then you might want to make up a >> custom template as a workaround, for example to omit forwarding that >> extra space. >> >> On Tue, Mar 4, 2014 at 3:43 AM, Xuri Nagarin <[email protected]> wrote: >> > Running RSyslog 7.6.0-1 on RHEL 6.2 x64. >> > >> > I have a RSyslog Windows agent forwarding logs to this RHEL based >> > Rsyslog service. >> > >> > I checked the incoming events using tcpdump from the Windows server to >> > the Linux server and verified that incoming messages are good. But >> > when the Linux servers forwards the messages again to another RSyslog >> > server using omfwd/tcp, it inserts an extra space between source/host >> > and the syslogtag. >> > >> > It also eats up an underscore char from FileMonitor generated syslog >> > tags. Example, tag_audit_log ends up being "tag audit_log". >> > >> > I have seen this issue with 7.4 as well. >> > >> > I have tried using a custom template and using the default >> > RSyslog_ForwardFormat template, seems to make no difference - the >> > extra space appears. >> > >> > Any suggestions? >> > >> > Thanks, >> > >> > - Xuri >> > _______________________________________________ >> > rsyslog mailing list >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com/professional-services/ >> > What's up with rsyslog? Follow https://twitter.com/rgerhards >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> >> >> -- >> Performance Monitoring * Log Analytics * Search Analytics >> Solr & Elasticsearch Support * http://sematext.com/ >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
