did you output the log with the RSYSLOG_DebugFormat to see exactly what ends up
in what field?
David Lang
On Tue, 17 Jul 2018, Rainer Gerhards wrote:
Date: Tue, 17 Jul 2018 16:59:03 +0200
From: Rainer Gerhards <[email protected]>
To: Delon Lee Di Lun <[email protected]>
Cc: David Lang <[email protected]>,
Delon Lee Di Lun via rsyslog <[email protected]>
Subject: Re: [rsyslog] IETF template?
If I understand your question correctly (not sure), you do need to check if
there is a decoder for your display tool. On the wire, *everything* (http,
ftp, syslg) is strings. The decoder splits it in "fields" when it displays
the packet capture (as does rsyslog when it parses the message).
Rainer
2018-07-17 16:56 GMT+02:00 Delon Lee Di Lun <[email protected]>:
So its not suppose to have individual "field" in the packet?
It is just a single string with the fields in order?
On Tue, 10 Jul 2018 at 22:40 Rainer Gerhards <[email protected]>
wrote:
From what I see it's RFC5424 format, so I do not know what the issue is.
Rainer
2018-07-10 14:35 GMT+02:00 Delon Lee Di Lun <[email protected]>:
Hi all.
Any help please?
On Sat, 30 Jun 2018, 11:24 Delon Lee Di Lun, <[email protected]>
wrote:
Hi,
Here you go.
[image: image.png]
On Thu, 28 Jun 2018 at 11:26 David Lang <[email protected]> wrote:
unfortunantly the first of the two images didn't come through for me,
can you
try again?
David Lang
On Wed, 27 Jun 2018, Delon Lee Di Lun wrote:
Date: Wed, 27 Jun 2018 17:24:37 +0800
From: Delon Lee Di Lun <[email protected]>
To: David Lang <[email protected]>
Cc: Delon Lee Di Lun via rsyslog <[email protected]>,
Rainer Gerhards <[email protected]>
Subject: Re: [rsyslog] IETF template?
Hi,
Is it suppose to be like this?
[image: image.png]
In the definition, is the entire "SYSLOG-MSG" in the "Message" field
above?
[image: image.png]
Yours Sincerely,
Delon Lee
On Mon, 25 Jun 2018, 10:15 David Lang, <[email protected]> wrote:
what do you mean "does not change the acutal packagesent"?
change it from what?
Rsyslog_SyslogProtocol23Format is what RFC-5424 was based on, so
they
should
match (and any differences are unknown bugs)
I agree, we should create an alias that makes it much more obvious
that
this is
the new standard format.
David Lang
On Sun, 24 Jun 2018, Delon Lee Di Lun via rsyslog wrote:
Date: Sun, 24 Jun 2018 21:34:15 +0800
From: Delon Lee Di Lun via rsyslog <[email protected]>
To: Rainer Gerhards <[email protected]>
Cc: Delon Lee Di Lun <[email protected]>,
rsyslog-users <[email protected]>
Subject: Re: [rsyslog] IETF template?
But it does not change the actual packet being sent?
On Fri, 22 Jun 2018, 21:42 Rainer Gerhards, <
[email protected]>
wrote:
2018-06-22 15:27 GMT+02:00 Delon Lee Di Lun via rsyslog
<[email protected]>:
Hi All,
I have set my output template as RSYSLOG_SyslogProtocol23Format
is this
the
RFC 5424?
yes - we used rsyslog when crafting RFC5424, and the template
name is
historically based on the draft ID. We should probably add an
alias...
Rainer
I tcpdump my traffic and it seems like the syslog packet is the
same.
is
it
suppose to be?
Yours Sincerely,
Delon Lee
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
