could you log a few messages with the template RSYSLOG_DebugFormat?
that gives us a lot of information (including what the message looked like as it
arrived at the machine), and we can probably figure out what happened in the
parsing from that.
David Lang
On Fri, 20 Jul 2018, Stephan Seitz wrote:
Date: Fri, 20 Jul 2018 10:50:57 +0200
From: Stephan Seitz <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: [rsyslog] Missing parts in logfile
Hi!
I have a rsyslog server with version 8.36.0.
After I updated some FTOS switches the log messages are different from those
with the older version.
This is an example from a switch with the older version:
Jul 19 14:46:57 jurswm22221.juris.de CES: jurswm22221: %STKUNIT0-M:CP
%SSH-6-CONNECTION: Disconnected from 10.223.0.100
Jul 19 14:46:58 jurswm22221.juris.de CES: jurswm22221: %STKUNIT0-M:CP
%SEC-5-LOGOUT: Exec session is terminated for user jurswadmin on line vty0 (
10.223.0.100 ) (Reason : User Request)
After the timestamp you have the hostname then the log message starting with
CES:.
This is an example from a swith with the new FTOS version:
Jul 19 15:40:38 CES jurswm14221 %STKUNIT0-M:CP %SSH-6-CONNECTION:
Disconnected from 10.223.0.100
Jul 19 15:40:38 CES jurswm14221 %STKUNIT0-M:CP %SEC-5-LOGOUT: Exec session is
terminated for user jurswadmin on line vty0 ( 10.223.0.100 ) (Reason : User
Request)
Interestingly here the hostname is missing after the timestamp. It starts
with the log message (CES) which doesn’t have the „:” after CES and the
hostname.
I made a capture file and noticed that the syslog messages are identical
besides from the source IP in the UDP part, the timestamps, and the message
starting with CES.
So the complete hostname that is written for switches with the older FTOS
version is probably inserted by rsyslog. But why isn’t it the case with the
newer versions? The reverse DNS is working.
Shade and sweet water!
Stephan
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
