Stephen,
I'm not sure this is the right approach... If I understand correctly, Rainer
is proposing using a custom parser so that the hostname can contain a ':'
character. A while back, Rainer helped me with a similar situation and added
an option to the pmrfc3164 parser so I could have hostnames that contained '/',
and using it looks something like this:
# allow / in hostname for syslog-ng style relay-path (as of rsyslog 8.20)
parser(name="pmrfc3164.hostname_with_slashes" type="pmrfc3164"
permit.slashesinhostname="on")
ruleset(name="ruleset_eth0_514_tcp"
parser="pmrfc3164.hostname_with_slashes"
queue.size="10000"
) {
...
}
input(type="imptcp"
name="net-514-in"
port="514"
ruleset="ruleset_eth0_514_tcp"
}
but I suspect that the real problem is that the newer FTOS device is now
sending broken syslog lines. Rsyslog is expecting an RFC3164 log line to have
the general format (excluding <PRI> facility and severity encoding) of:
{timestamp} {hostname} {tag} {content}
In your sample log lines:
(old FTOS version)
Jul 19 14:46:57 jurswm22221.juris.de CES: jurswm22221: %STKUNIT0-M:CP
%SSH-6-CONNECTION: Disconnected from 10.223.0.100
(new FTOS version)
Jul 19 15:40:38 CES jurswm14221 %STKUNIT0-M:CP %SSH-6-CONNECTION:
Disconnected from 10.223.0.100
is the hostname really 'CES' (or even 'CES:')? Making ':' a valid hostname
character isn't going to fix parsing of this new FTOS version log.
For comparison, here's a similar (non-FTOS) example log I have:
Jul 7 09:34:11 server01 sshd[6203]: Connection closed by 10.188.36.7
which Rsyslog parses into the $timereported, $hostname, $syslogtag,
$programname, $pid, and $msg properties (and maybe others I'm forgetting).
You can see how this turns out if you configure an output action to use the
RSYSLOG_DebugFormat template, such as:
action(type="omfile"
name="omfile.local.DEBUG"
file="/logs/messages.debug"
template="RSYSLOG_DebugFormat"
)
Give this a shot and see if you discover strange things in the $hostname and
$syslogtag properties from the newer FTOS logs, for example.
--
Dave Caplinger
> On Jul 20, 2018, at 5:07 AM, Stephan Seitz <[email protected]>
> wrote:
>
> On Fr, Jul 20, 2018 at 12:00:58 +0200, Rainer Gerhards wrote:
>> The best way would be to create a custom parser using pmrfc3164 as
>> template. You could probably also work via pmnormalize. All parsers
>> here:
>> https://www.rsyslog.com/doc/master/configuration/modules/idx_parser.html
>
> Thanks, I’ll have a look.
>
> Shade and sweet water!
>
> Stephan
>
> --
> | Public Keys: http://fsing.rootsland.net/~stse/keys.html |
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
Confidentiality Notice: The content of this communication, along with any
attachments, is covered by federal and state law governing electronic
communications and may contain confidential and legally privileged information.
If the reader of this message is not the intended recipient, you are hereby
notified that any dissemination, distribution, use or copying of the
information contained herein is strictly prohibited. If you have received this
communication in error, please immediately contact us by telephone at
402.361.3000 or e-mail [email protected].
Copyright 2000-2018 NTT Security (US) Inc., a wholly-owned subsidiary of NTT
Group. All rights reserved. ActiveGuard and Solutionary are registered
trademarks and NTT Security is a trademark of NTT Security GMBH. Solutionary,
the ActiveGuard logo icon, and the Solutionary logo icon are registered service
marks of NTT Security (US) Inc.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
