Date: Fri, 2 May 2014 12:13:21 -0400
From: robert s <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] log output
Thanks Rainer,
using this filter:
:fromhost, contains, "ldblzr" {
action (type="omfile"
template="RSYSLOG_DebugFormat"name="load"
File="/var/log/swtichlog"
)
stop
}
I get the following output:
Debug line with all properties:
FROMHOST: 'switch1.ldblzr', fromhost-ip: '192.168.5.73', HOSTNAME:
'switch1.ldblzr', PRI: 189,
syslogtag ':', programname: '', APP-NAME: '', PROCID: '-', MSGID: '-',
TIMESTAMP: 'May 2 12:08:16', STRUCTURED-DATA: '-',
msg: ' 2014 May 2 12:08:16 EDT: %ETHPORT-5-IF_UP: Interface
Ethernet124/1/16 is up in mode access'
escaped msg: ' 2014 May 2 12:08:16 EDT: %ETHPORT-5-IF_UP: Interface
Ethernet124/1/16 is up in mode access'
inputname: imudp rawmsg: '<189>: 2014 May 2 12:08:16 EDT:
%ETHPORT-5-IF_UP: Interface Ethernet124/1/16 is up in mode access'
$!:
$.:
$/:
Debug line with all properties:
FROMHOST: 'switch1.ldblzr', fromhost-ip: '192.168.5.73', HOSTNAME:
'switch1.ldblzr', PRI: 189,
syslogtag '1277235:', programname: '1277235', APP-NAME: '1277235',
PROCID: '-', MSGID: '-',
TIMESTAMP: 'May 2 12:08:23', STRUCTURED-DATA: '-',
msg: ' May 2 12:08:22.817 EDT: %LINEPROTO-5-UPDOWN: Line protocol on
Interface GigabitEthernet0/11, changed state to down'
escaped msg: ' May 2 12:08:22.817 EDT: %LINEPROTO-5-UPDOWN: Line
protocol on Interface GigabitEthernet0/11, changed state to down'
inputname: imudp rawmsg: '<189>1277235: May 2 12:08:22.817 EDT:
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11,
changed state to down'
$!:
$.:
$/:
Debug line with all properties:
FROMHOST: 'switch1.ldblzr', fromhost-ip: '192.168.5.73', HOSTNAME:
'switch1.ldblzr', PRI: 189,
syslogtag '1277236:', programname: '1277236', APP-NAME: '1277236',
PROCID: '-', MSGID: '-',
TIMESTAMP: 'May 2 12:08:26', STRUCTURED-DATA: '-',
msg: ' May 2 12:08:25.896 EDT: %LINEPROTO-5-UPDOWN: Line protocol on
Interface GigabitEthernet0/11, changed state to up'
escaped msg: ' May 2 12:08:25.896 EDT: %LINEPROTO-5-UPDOWN: Line
protocol on Interface GigabitEthernet0/11, changed state to up'
inputname: imudp rawmsg: '<189>1277236: May 2 12:08:25.896 EDT:
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11,
changed state to up'
$!:
$.:
$/:
Robert
On Fri, May 2, 2014 at 11:25 AM, Rainer Gerhards
<[email protected]> wrote:
I guess the switch emits malformed format. Use the RSYSLOG_DebugFormat
template for this action and post a sample from it. Note that each
message
will be output on multiple lines, with all the properties as rsyslog sees
them. rawmsg is the most interesting one. Be sure to include all
properties
(messages are sperated by a blank line with this template).
Rainer
On Fri, May 2, 2014 at 5:04 PM, robert s <[email protected]> wrote:
Hello All,
I wanted to see if anyone had run into this issue, I am currently
logging information from some switches, and I have those switches
locally listed on my /etc/hosts file with a specific suffix like:
10.0.0.5 switch1.ldblzr
and I am filtering with a rule like this:
:fromhost, contains, "ldblzr" {
action (type="omfile"
name="load"
File="/var/log/swtichlog"
)
stop
}
The issue that I am running into is that when the logs go to the
"switchlog". The way that they are being written is:
2014-05-02T09:19:14.004379-04:00 switch.ldbzr 98563: May 2
09:19:13.005 EDT: %SNMP-3-AUTHFAIL: Authentication failure for SNMP
req from host 10.0.0.3
I would like them to be written as:
2014-05-02T09:19:14.004379-04:00 (IP ADDRESS INSTEAD OF HOSTNAME)
98563: May 2 09:19:13.005 EDT: %SNMP-3-AUTHFAIL: Authentication
failure for SNMP req from host 10.0.0.3
I am wondering if this is a template issue or an output module
parameter issue, or just misconfiguration on my part?
Any input will be appreciated
Thanks in advance
Robert
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
