Agreed; it looks to me like the older FTOS version may have also been broken and was leaving out the hostname too:
(old FTOS version) Jul 19 14:46:57 jurswm22221.juris.de CES: jurswm22221: %STKUNIT0-M:CP %SSH-6-CONNECTION: Disconnected from 10.223.0.100 (new FTOS version) Jul 19 15:40:38 CES jurswm14221 %STKUNIT0-M:CP %SSH-6-CONNECTION: Disconnected from 10.223.0.100 I wonder if the old format parsed like: $timereported: "Jul 19 14:46:57" $hostname: "" $syslogtag: "CES:" $msg: " jurswm22221: %STKUNIT0-M:CP %SSH-6-CONNECTION: Disconnected from 10.223.0.100" but later (on output?) Rsyslog replaces the empty $hostname with $fromhost? In both cases, it seems like $hostname and $syslogtag are swapped, and the difference is that they both have ':' in the first log and neither do in the second. You could fix this with liberal application of mmnormalize and templates if you really wanted to... -- Dave Caplinger > On Jul 20, 2018, at 11:16 AM, Rainer Gerhards <[email protected]> > wrote: > > As I understood, the hostname is actually missing. Previous system had colon > in tag, so we could detect that. Now the colon is gone, so no way to detect > there is no hostname. > > Of course the right approach is to fix the sender, but in my experience... > > rainer > > Sent from phone, thus brief. > > Dave Caplinger via rsyslog <[email protected]> schrieb am Fr., 20. > Juli 2018, 18:13: > Stephen, > > I'm not sure this is the right approach... If I understand correctly, Rainer > is proposing using a custom parser so that the hostname can contain a ':' > character. A while back, Rainer helped me with a similar situation and added > an option to the pmrfc3164 parser so I could have hostnames that contained > '/', and using it looks something like this: > > # allow / in hostname for syslog-ng style relay-path (as of rsyslog 8.20) > parser(name="pmrfc3164.hostname_with_slashes" type="pmrfc3164" > permit.slashesinhostname="on") > > ruleset(name="ruleset_eth0_514_tcp" > parser="pmrfc3164.hostname_with_slashes" > queue.size="10000" > ) { > ... > } > > input(type="imptcp" > name="net-514-in" > port="514" > ruleset="ruleset_eth0_514_tcp" > } > > but I suspect that the real problem is that the newer FTOS device is now > sending broken syslog lines. Rsyslog is expecting an RFC3164 log line to > have the general format (excluding <PRI> facility and severity encoding) of: > > {timestamp} {hostname} {tag} {content} > > In your sample log lines: > > (old FTOS version) > Jul 19 14:46:57 jurswm22221.juris.de CES: jurswm22221: %STKUNIT0-M:CP > %SSH-6-CONNECTION: Disconnected from 10.223.0.100 > > (new FTOS version) > Jul 19 15:40:38 CES jurswm14221 %STKUNIT0-M:CP %SSH-6-CONNECTION: > Disconnected from 10.223.0.100 > > is the hostname really 'CES' (or even 'CES:')? Making ':' a valid hostname > character isn't going to fix parsing of this new FTOS version log. > > > For comparison, here's a similar (non-FTOS) example log I have: > > Jul 7 09:34:11 server01 sshd[6203]: Connection closed by 10.188.36.7 > > which Rsyslog parses into the $timereported, $hostname, $syslogtag, > $programname, $pid, and $msg properties (and maybe others I'm forgetting). > > You can see how this turns out if you configure an output action to use the > RSYSLOG_DebugFormat template, such as: > > action(type="omfile" > name="omfile.local.DEBUG" > file="/logs/messages.debug" > template="RSYSLOG_DebugFormat" > ) > > Give this a shot and see if you discover strange things in the $hostname and > $syslogtag properties from the newer FTOS logs, for example. > > -- > Dave Caplinger > > > On Jul 20, 2018, at 5:07 AM, Stephan Seitz > > <[email protected]> wrote: > > > > On Fr, Jul 20, 2018 at 12:00:58 +0200, Rainer Gerhards wrote: > >> The best way would be to create a custom parser using pmrfc3164 as > >> template. You could probably also work via pmnormalize. All parsers > >> here: > >> https://www.rsyslog.com/doc/master/configuration/modules/idx_parser.html > > > > Thanks, I’ll have a look. > > > > Shade and sweet water! > > > > Stephan > > > > -- > > | Public Keys: http://fsing.rootsland.net/~stse/keys.html | > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > > > Confidentiality Notice: The content of this communication, along with any > attachments, is covered by federal and state law governing electronic > communications and may contain confidential and legally privileged > information. If the reader of this message is not the intended recipient, you > are hereby notified that any dissemination, distribution, use or copying of > the information contained herein is strictly prohibited. If you have received > this communication in error, please immediately contact us by telephone at > 402.361.3000 or e-mail [email protected]. > > Copyright 2000-2018 NTT Security (US) Inc., a wholly-owned subsidiary of NTT > Group. All rights reserved. ActiveGuard and Solutionary are registered > trademarks and NTT Security is a trademark of NTT Security GMBH. Solutionary, > the ActiveGuard logo icon, and the Solutionary logo icon are registered > service marks of NTT Security (US) Inc. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. Confidentiality Notice: The content of this communication, along with any attachments, is covered by federal and state law governing electronic communications and may contain confidential and legally privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, use or copying of the information contained herein is strictly prohibited. If you have received this communication in error, please immediately contact us by telephone at 402.361.3000 or e-mail [email protected]. Copyright 2000-2018 NTT Security (US) Inc., a wholly-owned subsidiary of NTT Group. All rights reserved. ActiveGuard and Solutionary are registered trademarks and NTT Security is a trademark of NTT Security GMBH. Solutionary, the ActiveGuard logo icon, and the Solutionary logo icon are registered service marks of NTT Security (US) Inc. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
