Thanks Rainer,
using this filter:
:fromhost, contains, "ldblzr" {
action (type="omfile"
template="RSYSLOG_DebugFormat"name="load"
File="/var/log/swtichlog"
)
stop
}
I get the following output:
Debug line with all properties:
FROMHOST: 'switch1.ldblzr', fromhost-ip: '192.168.5.73', HOSTNAME:
'switch1.ldblzr', PRI: 189,
syslogtag ':', programname: '', APP-NAME: '', PROCID: '-', MSGID: '-',
TIMESTAMP: 'May 2 12:08:16', STRUCTURED-DATA: '-',
msg: ' 2014 May 2 12:08:16 EDT: %ETHPORT-5-IF_UP: Interface
Ethernet124/1/16 is up in mode access'
escaped msg: ' 2014 May 2 12:08:16 EDT: %ETHPORT-5-IF_UP: Interface
Ethernet124/1/16 is up in mode access'
inputname: imudp rawmsg: '<189>: 2014 May 2 12:08:16 EDT:
%ETHPORT-5-IF_UP: Interface Ethernet124/1/16 is up in mode access'
$!:
$.:
$/:
Debug line with all properties:
FROMHOST: 'switch1.ldblzr', fromhost-ip: '192.168.5.73', HOSTNAME:
'switch1.ldblzr', PRI: 189,
syslogtag '1277235:', programname: '1277235', APP-NAME: '1277235',
PROCID: '-', MSGID: '-',
TIMESTAMP: 'May 2 12:08:23', STRUCTURED-DATA: '-',
msg: ' May 2 12:08:22.817 EDT: %LINEPROTO-5-UPDOWN: Line protocol on
Interface GigabitEthernet0/11, changed state to down'
escaped msg: ' May 2 12:08:22.817 EDT: %LINEPROTO-5-UPDOWN: Line
protocol on Interface GigabitEthernet0/11, changed state to down'
inputname: imudp rawmsg: '<189>1277235: May 2 12:08:22.817 EDT:
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11,
changed state to down'
$!:
$.:
$/:
Debug line with all properties:
FROMHOST: 'switch1.ldblzr', fromhost-ip: '192.168.5.73', HOSTNAME:
'switch1.ldblzr', PRI: 189,
syslogtag '1277236:', programname: '1277236', APP-NAME: '1277236',
PROCID: '-', MSGID: '-',
TIMESTAMP: 'May 2 12:08:26', STRUCTURED-DATA: '-',
msg: ' May 2 12:08:25.896 EDT: %LINEPROTO-5-UPDOWN: Line protocol on
Interface GigabitEthernet0/11, changed state to up'
escaped msg: ' May 2 12:08:25.896 EDT: %LINEPROTO-5-UPDOWN: Line
protocol on Interface GigabitEthernet0/11, changed state to up'
inputname: imudp rawmsg: '<189>1277236: May 2 12:08:25.896 EDT:
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11,
changed state to up'
$!:
$.:
$/:
Robert
On Fri, May 2, 2014 at 11:25 AM, Rainer Gerhards
<[email protected]> wrote:
> I guess the switch emits malformed format. Use the RSYSLOG_DebugFormat
> template for this action and post a sample from it. Note that each message
> will be output on multiple lines, with all the properties as rsyslog sees
> them. rawmsg is the most interesting one. Be sure to include all properties
> (messages are sperated by a blank line with this template).
>
> Rainer
>
>
> On Fri, May 2, 2014 at 5:04 PM, robert s <[email protected]> wrote:
>
>> Hello All,
>>
>> I wanted to see if anyone had run into this issue, I am currently
>> logging information from some switches, and I have those switches
>> locally listed on my /etc/hosts file with a specific suffix like:
>>
>> 10.0.0.5 switch1.ldblzr
>>
>> and I am filtering with a rule like this:
>>
>> :fromhost, contains, "ldblzr" {
>> action (type="omfile"
>> name="load"
>> File="/var/log/swtichlog"
>> )
>> stop
>> }
>>
>> The issue that I am running into is that when the logs go to the
>> "switchlog". The way that they are being written is:
>>
>> 2014-05-02T09:19:14.004379-04:00 switch.ldbzr 98563: May 2
>> 09:19:13.005 EDT: %SNMP-3-AUTHFAIL: Authentication failure for SNMP
>> req from host 10.0.0.3
>>
>> I would like them to be written as:
>>
>> 2014-05-02T09:19:14.004379-04:00 (IP ADDRESS INSTEAD OF HOSTNAME)
>> 98563: May 2 09:19:13.005 EDT: %SNMP-3-AUTHFAIL: Authentication
>> failure for SNMP req from host 10.0.0.3
>>
>> I am wondering if this is a template issue or an output module
>> parameter issue, or just misconfiguration on my part?
>>
>> Any input will be appreciated
>>
>> Thanks in advance
>>
>>
>> Robert
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
