Here are the logs from the pcap:
from 10.220.0.108:
Jul 19 14:46:57 CES: jurswm22221: %STKUNIT0-M:CP %SSH-6-CONNECTION:
Disconnected from 10.223.0.100
Jul 19 14:46:58 CES: jurswm22221: %STKUNIT0-M:CP %SEC-5-LOGOUT: Exec session is
terminated for user jurswadmin on line vty0 ( 10.223.0.100 ) (Reason : User
Request)
from 10.46.0.114:
Jul 19 14:47:04 CES jurswm14221 %STKUNIT0-M:CP %SSH-6-CONNECTION: Disconnected
from 10.223.0.100
Jul 19 14:47:05 CES jurswm14221 %STKUNIT0-M:CP %SEC-5-LOGOUT: Exec session is
terminated for user jurswadmin on line vty0 ( 10.223.0.100 ) (Reason : User
Request)
Both senders seem to be sending malformed log lines to me since whatever "CES"
means, it's not the hostname of the device sending the log. (And I'm betting
'jurswm22221' and 'jurswm14221' are the actual hostnames.)
But to see how Rsyslog is parsing these, we'd really need to see the
RSYSLOG_DebugFormat output. Configure an output action like:
action(type="omfile"
name="omfile.local.DEBUG"
file="/var/logs/messages.debug"
template="RSYSLOG_DebugFormat"
)
and then send that info along.
Thanks,
--
Dave Caplinger
> On Jul 23, 2018, at 8:20 AM, Stephan Seitz <[email protected]>
> wrote:
>
> On Fr, Jul 20, 2018 at 06:20:25 -0700, David Lang wrote:
>> could you log a few messages with the template RSYSLOG_DebugFormat?
>
> Well, I’m attaching a short pcap file.
>
> Thanks for the help!
>
> Shade and sweet water!
>
> Stephan
>
> --
> | Public Keys: http://fsing.rootsland.net/~stse/keys.html |
> <debug.pcap>_______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
Confidentiality Notice: The content of this communication, along with any
attachments, is covered by federal and state law governing electronic
communications and may contain confidential and legally privileged information.
If the reader of this message is not the intended recipient, you are hereby
notified that any dissemination, distribution, use or copying of the
information contained herein is strictly prohibited. If you have received this
communication in error, please immediately contact us by telephone at
402.361.3000 or e-mail [email protected].
Copyright 2000-2018 NTT Security (US) Inc., a wholly-owned subsidiary of NTT
Group. All rights reserved. ActiveGuard and Solutionary are registered
trademarks and NTT Security is a trademark of NTT Security GMBH. Solutionary,
the ActiveGuard logo icon, and the Solutionary logo icon are registered service
marks of NTT Security (US) Inc.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
