re-posting my initial answer, as it seems to have not been received by everyone. What happens is pretty clear: ---- simple explanation: the colon cannot be part of a hostname (RFC restriction). So rsyslog know that "CES:" is not a hostname and the heuristic of the default parser so dos not assign one. In contrary. "CES" is a perfect hostname and so it is used as such. ---- Rainer
2018-07-23 16:05 GMT+02:00 Dave Caplinger via rsyslog <[email protected]>: > Here are the logs from the pcap: > > from 10.220.0.108: > Jul 19 14:46:57 CES: jurswm22221: %STKUNIT0-M:CP %SSH-6-CONNECTION: > Disconnected from 10.223.0.100 > Jul 19 14:46:58 CES: jurswm22221: %STKUNIT0-M:CP %SEC-5-LOGOUT: Exec session > is terminated for user jurswadmin on line vty0 ( 10.223.0.100 ) (Reason : > User Request) > > from 10.46.0.114: > Jul 19 14:47:04 CES jurswm14221 %STKUNIT0-M:CP %SSH-6-CONNECTION: > Disconnected from 10.223.0.100 > Jul 19 14:47:05 CES jurswm14221 %STKUNIT0-M:CP %SEC-5-LOGOUT: Exec session is > terminated for user jurswadmin on line vty0 ( 10.223.0.100 ) (Reason : User > Request) > > Both senders seem to be sending malformed log lines to me since whatever > "CES" means, it's not the hostname of the device sending the log. (And I'm > betting 'jurswm22221' and 'jurswm14221' are the actual hostnames.) > > But to see how Rsyslog is parsing these, we'd really need to see the > RSYSLOG_DebugFormat output. Configure an output action like: > > action(type="omfile" > name="omfile.local.DEBUG" > file="/var/logs/messages.debug" > template="RSYSLOG_DebugFormat" > ) > > and then send that info along. > > Thanks, > > -- > Dave Caplinger > >> On Jul 23, 2018, at 8:20 AM, Stephan Seitz >> <[email protected]> wrote: >> >> On Fr, Jul 20, 2018 at 06:20:25 -0700, David Lang wrote: >>> could you log a few messages with the template RSYSLOG_DebugFormat? >> >> Well, I’m attaching a short pcap file. >> >> Thanks for the help! >> >> Shade and sweet water! >> >> Stephan >> >> -- >> | Public Keys: http://fsing.rootsland.net/~stse/keys.html | >> <debug.pcap>_______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. > > > Confidentiality Notice: The content of this communication, along with any > attachments, is covered by federal and state law governing electronic > communications and may contain confidential and legally privileged > information. If the reader of this message is not the intended recipient, you > are hereby notified that any dissemination, distribution, use or copying of > the information contained herein is strictly prohibited. If you have received > this communication in error, please immediately contact us by telephone at > 402.361.3000 or e-mail [email protected]. > > Copyright 2000-2018 NTT Security (US) Inc., a wholly-owned subsidiary of NTT > Group. All rights reserved. ActiveGuard and Solutionary are registered > trademarks and NTT Security is a trademark of NTT Security GMBH. Solutionary, > the ActiveGuard logo icon, and the Solutionary logo icon are registered > service marks of NTT Security (US) Inc. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
