Re: [rsyslog] rsyslog is recording more (~ 40 extra) log messages than expected from remote client
On Tue, 20 Dec 2016, rsyslog-users-lists.adiscon@whyaskwhy.org wrote: On 12/20/2016 1:38 AM, Benoit DOLEZ wrote: Hi, The ~40 messages are those of the window size : for performance reason, a train of messages are sent and acked globally. To ack each message independently you can try windowsize=1 with omrelp, but sending message synchronously is a very bad idea. For omfwd, a tcp window size is applied. With UDP, there is no ack, no window. Regards Benoit Thanks for the reply. Am I correct in assuming then that I can expect duplicate messages each time I restart the remote rsyslog receiver instance? If you are using RELP, any messages that the sender has not received a confirmation of recipt for will be re-sent. If you are using plain TCP, messages in flight will be lost If you happened to have looked over the configs, did you see anything that would result in the sending systems tossing old messages if the remote rsyslog receiver stays down longer than "X" seconds? Rsyslog has nothing that will throw away messages based on time. You can set it to throw away messages if the queues get too full (look at the high watermark settings) you can also set the retries so that it will only attempt to deliver a message X times before it gives up on that message. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] rsyslog is recording more (~ 40 extra) log messages than expected from remote client
On 12/20/2016 1:38 AM, Benoit DOLEZ wrote: Hi, The ~40 messages are those of the window size : for performance reason, a train of messages are sent and acked globally. To ack each message independently you can try windowsize=1 with omrelp, but sending message synchronously is a very bad idea. For omfwd, a tcp window size is applied. With UDP, there is no ack, no window. Regards Benoit Thanks for the reply. Am I correct in assuming then that I can expect duplicate messages each time I restart the remote rsyslog receiver instance? If you happened to have looked over the configs, did you see anything that would result in the sending systems tossing old messages if the remote rsyslog receiver stays down longer than "X" seconds? ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] keeping prev versions in apt repository
> As far as I could see, files seem to be available somewhere, but they are not indexed. yeah we found the files, but it just didnt work over apt-get install workflow > If you can tell me what to enable in Launchpad to provide older build, I am happy to enable that. But I do not know yet how to do that (and if it is possible at all...). i'll reach out to canonical support. let's see what they suggest. On Tue, Dec 20, 2016 at 1:58 PM, Rainer Gerhardswrote: > As far as I could see, files seem to be available somewhere, but they are > not indexed. > > If you can tell me what to enable in Launchpad to provide older build, I > am happy to enable that. But I do not know yet how to do that (and if it is > possible at all...). > > Rainer > > Sent from phone, thus brief. > > Am 20.12.2016 22:55 schrieb "Dmitriy Kalinin via rsyslog" < > rsyslog@lists.adiscon.com>: > >> im not too familiar with what kind of facilities launchpad provides but i >> would imagine they allow users to keep history. >> >> On Tue, Dec 20, 2016 at 11:43 AM, David Lang wrote: >> >> > On Tue, 20 Dec 2016, Dmitriy Kalinin via rsyslog wrote: >> > >> > Hello, >> >> >> >> Due to a recent memory leak problem (https://github.com/ >> >> cloudfoundry/bosh/issues/1537) in one of our envs, we had to revert >> >> rsyslog >> >> to an older version (8.22.0); however, we found out that apt >> repository no >> >> longer contained older versions. Would it be possible to keep older >> >> versions so that apt-get install rsyslog=x works if such problems >> arise in >> >> future? >> >> >> > >> > I think that this is a function of the PPA repository that it only keeps >> > the most recent versions available. >> > >> > David Lang >> > >> ___ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] keeping prev versions in apt repository
As far as I could see, files seem to be available somewhere, but they are not indexed. If you can tell me what to enable in Launchpad to provide older build, I am happy to enable that. But I do not know yet how to do that (and if it is possible at all...). Rainer Sent from phone, thus brief. Am 20.12.2016 22:55 schrieb "Dmitriy Kalinin via rsyslog" < rsyslog@lists.adiscon.com>: > im not too familiar with what kind of facilities launchpad provides but i > would imagine they allow users to keep history. > > On Tue, Dec 20, 2016 at 11:43 AM, David Langwrote: > > > On Tue, 20 Dec 2016, Dmitriy Kalinin via rsyslog wrote: > > > > Hello, > >> > >> Due to a recent memory leak problem (https://github.com/ > >> cloudfoundry/bosh/issues/1537) in one of our envs, we had to revert > >> rsyslog > >> to an older version (8.22.0); however, we found out that apt repository > no > >> longer contained older versions. Would it be possible to keep older > >> versions so that apt-get install rsyslog=x works if such problems arise > in > >> future? > >> > > > > I think that this is a function of the PPA repository that it only keeps > > the most recent versions available. > > > > David Lang > > > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] keeping prev versions in apt repository
im not too familiar with what kind of facilities launchpad provides but i would imagine they allow users to keep history. On Tue, Dec 20, 2016 at 11:43 AM, David Langwrote: > On Tue, 20 Dec 2016, Dmitriy Kalinin via rsyslog wrote: > > Hello, >> >> Due to a recent memory leak problem (https://github.com/ >> cloudfoundry/bosh/issues/1537) in one of our envs, we had to revert >> rsyslog >> to an older version (8.22.0); however, we found out that apt repository no >> longer contained older versions. Would it be possible to keep older >> versions so that apt-get install rsyslog=x works if such problems arise in >> future? >> > > I think that this is a function of the PPA repository that it only keeps > the most recent versions available. > > David Lang > ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[rsyslog] Assert Failure in imtcp.c?
I’m working setting up a syslog pipeline with rsyslog at the front, and I’m running in to an issue with rsyslogd core dumping when I try to start it. Debug log shows everything loading fine, then this: 4473.240773513:imtcp.c: nspoll.c:147 ISOBJ assert failure: invalid object type, expected 'netstrms' actual 'nspoll', cookie: BADEFEE rsyslogd: nspoll.c:147: SetDrvrName: Assertion `0' failed. Then it core dumps. Is this a known issue? I can provide a full debug log if necessary Andrew Griffin ETS / Integration Services ☏ 408-783-8348 smime.p7s Description: S/MIME cryptographic signature ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] keeping prev versions in apt repository
On Tue, 20 Dec 2016, Dmitriy Kalinin via rsyslog wrote: Hello, Due to a recent memory leak problem (https://github.com/ cloudfoundry/bosh/issues/1537) in one of our envs, we had to revert rsyslog to an older version (8.22.0); however, we found out that apt repository no longer contained older versions. Would it be possible to keep older versions so that apt-get install rsyslog=x works if such problems arise in future? I think that this is a function of the PPA repository that it only keeps the most recent versions available. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Potential memory leak in rsyslog v 8.23.0
there was a report a few days ago that failed outbound TCP connections leak memory. Someone was running in an environment where the recipient was cutting the connections frequently and they were seeing a slight, but steady increase in memory use as a result. David Lang On Tue, 20 Dec 2016, Rainer Gerhards wrote: Date: Tue, 20 Dec 2016 17:17:09 +0100 From: Rainer GerhardsReply-To: rsyslog-users To: rsyslog-users Subject: Re: [rsyslog] Potential memory leak in rsyslog v 8.23.0 It was not yet. My guess is that this bug is triggered by some environment options. So we would need to find a way to reproduce the issue or have a memory leak report (e.g. vial valgrind) from an affected system. Note that the testbench routinely checks for memory leaks, but obviously we can cover only a small number of potential environments. Rainer 2016-12-20 16:53 GMT+01:00 Adam Williams via rsyslog : We have deployed 8.23.0 to a utility server in our network and anecdotal evidence (long-term records of memory use) indicate we have a gradually rising memory consumption on the machine. The folks at CloudFoundry provide more details about the leak https://github.com/cloudfoundry/bosh/issues/1537#issuecomment-267339363 which suggests it is a real problem. I'm curious to know if this is on the radar of the amazing rsyslog development team. On Wed, Dec 14, 2016 at 4:53 PM, Shatarupa Nandi via rsyslog < rsyslog@lists.adiscon.com> wrote: Hello, We are observing rsyslogd using an excessive amount of memory after bumping from v 8.22.0 to v 8.23.0. More info at: https://github.com/cloudfoundry/bosh/issues/1537 Any help is appreciated. Thanks! Rupa ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[rsyslog] keeping prev versions in apt repository
Hello, Due to a recent memory leak problem (https://github.com/ cloudfoundry/bosh/issues/1537) in one of our envs, we had to revert rsyslog to an older version (8.22.0); however, we found out that apt repository no longer contained older versions. Would it be possible to keep older versions so that apt-get install rsyslog=x works if such problems arise in future? Thank you, Dmitriy & BOSH team ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Potential memory leak in rsyslog v 8.23.0
It was not yet. My guess is that this bug is triggered by some environment options. So we would need to find a way to reproduce the issue or have a memory leak report (e.g. vial valgrind) from an affected system. Note that the testbench routinely checks for memory leaks, but obviously we can cover only a small number of potential environments. Rainer 2016-12-20 16:53 GMT+01:00 Adam Williams via rsyslog: > We have deployed 8.23.0 to a utility server in our network and anecdotal > evidence (long-term records of memory use) indicate we have a gradually > rising memory consumption on the machine. The folks at CloudFoundry provide > more details about the leak > https://github.com/cloudfoundry/bosh/issues/1537#issuecomment-267339363 > which suggests it is a real problem. I'm curious to know if this is on the > radar of the amazing rsyslog development team. > > On Wed, Dec 14, 2016 at 4:53 PM, Shatarupa Nandi via rsyslog < > rsyslog@lists.adiscon.com> wrote: > >> Hello, >> >> We are observing rsyslogd using an excessive amount of memory after bumping >> from v 8.22.0 to v 8.23.0. >> >> More info at: https://github.com/cloudfoundry/bosh/issues/1537 >> >> Any help is appreciated. >> >> Thanks! >> Rupa >> ___ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Potential memory leak in rsyslog v 8.23.0
We have deployed 8.23.0 to a utility server in our network and anecdotal evidence (long-term records of memory use) indicate we have a gradually rising memory consumption on the machine. The folks at CloudFoundry provide more details about the leak https://github.com/cloudfoundry/bosh/issues/1537#issuecomment-267339363 which suggests it is a real problem. I'm curious to know if this is on the radar of the amazing rsyslog development team. On Wed, Dec 14, 2016 at 4:53 PM, Shatarupa Nandi via rsyslog < rsyslog@lists.adiscon.com> wrote: > Hello, > > We are observing rsyslogd using an excessive amount of memory after bumping > from v 8.22.0 to v 8.23.0. > > More info at: https://github.com/cloudfoundry/bosh/issues/1537 > > Any help is appreciated. > > Thanks! > Rupa > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[rsyslog] omfile.rst documentation
Hi Reviewing omfile documentation https://github.com/rsyslog/rsyslog-doc/blob/master/source/configuration/modules/omfile.rst It states: - **$F$OMFileForceCHOwn** equivalent to the "ForceChOwn" parameter - **$ActionFileEnableSync** equivalent to the "enableSync" parameter There's a typo in /$F$OMFileForceCHOwn/ ? I'm not able to find /forceChOwn/ or /enableSync/ parameters. Thanks. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] liblognorm segfault ?
Perhaps the same problem than thread "segfault using mmexternal" when using syntax "@syslog". Benoit Le 20/12/2016 à 12:00, Rainer Gerhards a écrit : I don't think I can look at this before the holiday break. So an issue tracker might be useful. Rainer 2016-12-20 11:59 GMT+01:00 mostolog--- via rsyslog: ping? Hi Having more problems with liblognorm. Let me now if I should open an issue. echo "a" | /usr/lib/lognorm/lognormalizer -r a.rb Segmentation fault (core dumped) File: version=2 #foo type=@rfc3164pri:<%priority:number%> type=@rfc3164header:%date:date-rfc3164% %hostname:word% type=@rfc3164tag:%syslogtag:char-to{"extradata":":"}%: type=@rfc3164:%.:@rfc3164pri%%.:@rfc3164header% %.:@rfc3164tag% type=@rfc3164:%.:@rfc3164header% %.:@rfc3164tag% type=@syslog:%.:@rfc3164% #bar # #it complains liblognorm error: rulebase file a.rb[23]: invalid record type detected: ']%' #if written this way: # {"type":"rest","name":"message"} #]% # Theres a blank line at the end of file rule=:%[ {"type":"@syslog","name":"a"}, {"type":"rest","name":"message"}]% Regards ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. -- Benoit DOLEZ, POM Monitoring, http://www.pom-monitoring.com/ ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] liblognorm vs grok
Just created https://github.com/rsyslog/liblognorm/issues/236 El 20/12/16 a las 11:58, mosto...@gmail.com escribió: El 20/12/16 a las 11:55, Rainer Gerhards escribió: 2016-12-20 11:54 GMT+01:00 mostolog--- via rsyslog: Must first line be... "version=2" (v lowercase) this, seehttp://www.liblognorm.com/files/manual/configuration.html#rulebase-versions Already did, but it's still failing, that's why I'm asking version=2 rule=:%[ {"type":"alternative","parser":[ {"type":"literal", "text":"a"} ]}, {"type":"literal", "text":"a"} ]% echo "a" | /usr/lib/lognorm/lognormalizer -r /etc/rsyslog.d/apps/rb/_a.rb liblognorm error: rulebase file /etc/rsyslog.d/apps/rb/_a.rb[8]: invalid record type detected: ']%' { "originalmsg": "a", "unparsed-data": "a" } Rainer or "Version=2" (V uppercase) ? El 14/12/16 a las 10:44,mosto...@gmail.com escribió: El 07/12/16 a las 21:00, Rainer Gerhards escribió: I'm getting /invalid field type 'alternative'/ when using it. Any ideas? rule=test:%[ {"type":"alternative","parser":[ {"type":"literal","text":"-"}, {"type":"word","name":"identd"} ]} ]% no idea Did you Set Version=2 in the First line? Yes. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Followhttps://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] liblognorm segfault ?
I don't think I can look at this before the holiday break. So an issue tracker might be useful. Rainer 2016-12-20 11:59 GMT+01:00 mostolog--- via rsyslog: > ping? > > > >> Hi >> >> Having more problems with liblognorm. Let me now if I should open an >> issue. >> >> echo "a" | /usr/lib/lognorm/lognormalizer -r a.rb >> >> Segmentation fault (core dumped) >> >> File: >> >> version=2 >> >> #foo >> >> type=@rfc3164pri:<%priority:number%> >> type=@rfc3164header:%date:date-rfc3164% %hostname:word% >> type=@rfc3164tag:%syslogtag:char-to{"extradata":":"}%: >> type=@rfc3164:%.:@rfc3164pri%%.:@rfc3164header% %.:@rfc3164tag% >> type=@rfc3164:%.:@rfc3164header% %.:@rfc3164tag% >> type=@syslog:%.:@rfc3164% >> >> #bar >> # >> #it complains liblognorm error: rulebase file a.rb[23]: invalid >> record type detected: ']%' >> #if written this way: >> # {"type":"rest","name":"message"} >> #]% >> # Theres a blank line at the end of file >> rule=:%[ >> {"type":"@syslog","name":"a"}, >> {"type":"rest","name":"message"}]% >> >> Regards >> > > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] liblognorm segfault ?
ping? Hi Having more problems with liblognorm. Let me now if I should open an issue. echo "a" | /usr/lib/lognorm/lognormalizer -r a.rb Segmentation fault (core dumped) File: version=2 #foo type=@rfc3164pri:<%priority:number%> type=@rfc3164header:%date:date-rfc3164% %hostname:word% type=@rfc3164tag:%syslogtag:char-to{"extradata":":"}%: type=@rfc3164:%.:@rfc3164pri%%.:@rfc3164header% %.:@rfc3164tag% type=@rfc3164:%.:@rfc3164header% %.:@rfc3164tag% type=@syslog:%.:@rfc3164% #bar # #it complains liblognorm error: rulebase file a.rb[23]: invalid record type detected: ']%' #if written this way: # {"type":"rest","name":"message"} #]% # Theres a blank line at the end of file rule=:%[ {"type":"@syslog","name":"a"}, {"type":"rest","name":"message"}]% Regards ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] liblognorm vs grok
2016-12-20 11:54 GMT+01:00 mostolog--- via rsyslog: > Must first line be... > > "version=2" (v lowercase) this, see http://www.liblognorm.com/files/manual/configuration.html#rulebase-versions Rainer > > or > > "Version=2" (V uppercase) > > ? > > El 14/12/16 a las 10:44, mosto...@gmail.com escribió: > >> El 07/12/16 a las 21:00, Rainer Gerhards escribió: >>> >>> I'm getting /invalid field type 'alternative'/ when using it. Any ideas? rule=test:%[ {"type":"alternative","parser":[ {"type":"literal","text":"-"}, {"type":"word","name":"identd"} ]} ]% >>> >>> no idea >>> Did you Set Version=2 in the First line? >> >> Yes. >> > > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] liblognorm vs grok
Must first line be... "version=2" (v lowercase) or "Version=2" (V uppercase) ? El 14/12/16 a las 10:44, mosto...@gmail.com escribió: El 07/12/16 a las 21:00, Rainer Gerhards escribió: I'm getting /invalid field type 'alternative'/ when using it. Any ideas? rule=test:%[ {"type":"alternative","parser":[ {"type":"literal","text":"-"}, {"type":"word","name":"identd"} ]} ]% no idea Did you Set Version=2 in the First line? Yes. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.