If I understand your question correctly (not sure), you do need to check if there is a decoder for your display tool. On the wire, *everything* (http, ftp, syslg) is strings. The decoder splits it in "fields" when it displays the packet capture (as does rsyslog when it parses the message).
Rainer 2018-07-17 16:56 GMT+02:00 Delon Lee Di Lun <[email protected]>: > So its not suppose to have individual "field" in the packet? > It is just a single string with the fields in order? > > On Tue, 10 Jul 2018 at 22:40 Rainer Gerhards <[email protected]> > wrote: > >> From what I see it's RFC5424 format, so I do not know what the issue is. >> >> Rainer >> >> 2018-07-10 14:35 GMT+02:00 Delon Lee Di Lun <[email protected]>: >> >>> Hi all. >>> >>> Any help please? >>> >>> >>> On Sat, 30 Jun 2018, 11:24 Delon Lee Di Lun, <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> Here you go. >>>> [image: image.png] >>>> >>>> >>>> On Thu, 28 Jun 2018 at 11:26 David Lang <[email protected]> wrote: >>>> >>>>> unfortunantly the first of the two images didn't come through for me, >>>>> can you >>>>> try again? >>>>> >>>>> David Lang >>>>> >>>>> On Wed, 27 Jun 2018, Delon Lee Di Lun wrote: >>>>> >>>>> > Date: Wed, 27 Jun 2018 17:24:37 +0800 >>>>> > From: Delon Lee Di Lun <[email protected]> >>>>> > To: David Lang <[email protected]> >>>>> > Cc: Delon Lee Di Lun via rsyslog <[email protected]>, >>>>> > Rainer Gerhards <[email protected]> >>>>> > Subject: Re: [rsyslog] IETF template? >>>>> > >>>>> > Hi, >>>>> > >>>>> > Is it suppose to be like this? >>>>> > [image: image.png] >>>>> > >>>>> > In the definition, is the entire "SYSLOG-MSG" in the "Message" field >>>>> above? >>>>> > [image: image.png] >>>>> > Yours Sincerely, >>>>> > Delon Lee >>>>> > >>>>> > On Mon, 25 Jun 2018, 10:15 David Lang, <[email protected]> wrote: >>>>> > >>>>> >> what do you mean "does not change the acutal packagesent"? >>>>> >> >>>>> >> change it from what? >>>>> >> >>>>> >> Rsyslog_SyslogProtocol23Format is what RFC-5424 was based on, so >>>>> they >>>>> >> should >>>>> >> match (and any differences are unknown bugs) >>>>> >> >>>>> >> I agree, we should create an alias that makes it much more obvious >>>>> that >>>>> >> this is >>>>> >> the new standard format. >>>>> >> >>>>> >> David Lang >>>>> >> >>>>> >> On Sun, 24 Jun 2018, Delon Lee Di Lun via rsyslog wrote: >>>>> >> >>>>> >>> Date: Sun, 24 Jun 2018 21:34:15 +0800 >>>>> >>> From: Delon Lee Di Lun via rsyslog <[email protected]> >>>>> >>> To: Rainer Gerhards <[email protected]> >>>>> >>> Cc: Delon Lee Di Lun <[email protected]>, >>>>> >>> rsyslog-users <[email protected]> >>>>> >>> Subject: Re: [rsyslog] IETF template? >>>>> >>> >>>>> >>> But it does not change the actual packet being sent? >>>>> >>> >>>>> >>> On Fri, 22 Jun 2018, 21:42 Rainer Gerhards, < >>>>> [email protected]> >>>>> >>> wrote: >>>>> >>> >>>>> >>>> 2018-06-22 15:27 GMT+02:00 Delon Lee Di Lun via rsyslog >>>>> >>>> <[email protected]>: >>>>> >>>>> Hi All, >>>>> >>>>> >>>>> >>>>> I have set my output template as RSYSLOG_SyslogProtocol23Format >>>>> is this >>>>> >>>> the >>>>> >>>>> RFC 5424? >>>>> >>>> >>>>> >>>> yes - we used rsyslog when crafting RFC5424, and the template >>>>> name is >>>>> >>>> historically based on the draft ID. We should probably add an >>>>> alias... >>>>> >>>> >>>>> >>>> Rainer >>>>> >>>>> >>>>> >>>>> I tcpdump my traffic and it seems like the syslog packet is the >>>>> same. >>>>> >> is >>>>> >>>> it >>>>> >>>>> suppose to be? >>>>> >>>>> >>>>> >>>>> Yours Sincerely, >>>>> >>>>> Delon Lee >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> >>>>> rsyslog mailing list >>>>> >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> >>>>> http://www.rsyslog.com/professional-services/ >>>>> >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>> >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>>> >> myriad >>>>> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST >>>>> if you >>>>> >>>> DON'T LIKE THAT. >>>>> >>>> >>>>> >>> _______________________________________________ >>>>> >>> rsyslog mailing list >>>>> >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> >>> http://www.rsyslog.com/professional-services/ >>>>> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>>> myriad >>>>> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if >>>>> you >>>>> >> DON'T LIKE THAT. >>>>> >>> >>>>> >> >>>>> > >>>>> >>>> >>
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
