Re: [rsyslog] rsyslog is recording more (~ 40 extra) log messages than expected from remote client

2016-12-20 Thread David Lang 

On Tue, 20 Dec 2016, rsyslog-users-lists.adiscon@whyaskwhy.org wrote:


On 12/20/2016 1:38 AM, Benoit DOLEZ wrote:

Hi,

The ~40 messages are those of the window size : for performance reason, a 
train of messages are sent and acked globally. To ack each message 
independently you can try windowsize=1 with omrelp, but sending message 
synchronously is a very bad idea. For omfwd, a tcp window size is applied. 
With UDP, there is no ack, no window.


Regards

Benoit


Thanks for the reply. Am I correct in assuming then that I can expect 
duplicate messages each time I restart the remote rsyslog receiver instance?


If you are using RELP, any messages that the sender has not received a 
confirmation of recipt for will be re-sent.


If you are using plain TCP, messages in flight will be lost

If you happened to have looked over the configs, did you see anything that 
would result in the sending systems tossing old messages if the remote 
rsyslog receiver stays down longer than "X" seconds?


Rsyslog has nothing that will throw away messages based on time. You can set it 
to throw away messages if the queues get too full (look at the high watermark 
settings)


you can also set the retries so that it will only attempt to deliver a message X 
times before it gives up on that message.


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rsyslog is recording more (~ 40 extra) log messages than expected from remote client

2016-12-20 Thread rsyslog-users-lists . adiscon . net 

On 12/20/2016 1:38 AM, Benoit DOLEZ wrote:

Hi,

The ~40 messages are those of the window size : for performance reason, 
a train of messages are sent and acked globally. To ack each message 
independently you can try windowsize=1 with omrelp, but sending message 
synchronously is a very bad idea. For omfwd, a tcp window size is 
applied. With UDP, there is no ack, no window.


Regards

Benoit


Thanks for the reply. Am I correct in assuming then that I can expect 
duplicate messages each time I restart the remote rsyslog receiver instance?


If you happened to have looked over the configs, did you see anything 
that would result in the sending systems tossing old messages if the 
remote rsyslog receiver stays down longer than "X" seconds?


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] keeping prev versions in apt repository

2016-12-20 Thread Dmitriy Kalinin via rsyslog 
> As far as I could see, files seem to be available somewhere, but they are
not indexed.

yeah we found the files, but it just didnt work over apt-get install
workflow

> If you can tell me what to enable in Launchpad to provide older build, I
am happy to enable that. But I do not know yet how to do that (and if it is
possible at all...).

i'll reach out to canonical support. let's see what they suggest.

On Tue, Dec 20, 2016 at 1:58 PM, Rainer Gerhards 
wrote:

> As far as I could see, files seem to be available somewhere, but they are
> not indexed.
>
> If you can tell me what to enable in Launchpad to provide older build, I
> am happy to enable that. But I do not know yet how to do that (and if it is
> possible at all...).
>
> Rainer
>
> Sent from phone, thus brief.
>
> Am 20.12.2016 22:55 schrieb "Dmitriy Kalinin via rsyslog" <
> rsyslog@lists.adiscon.com>:
>
>> im not too familiar with what kind of facilities launchpad provides but i
>> would imagine they allow users to keep history.
>>
>> On Tue, Dec 20, 2016 at 11:43 AM, David Lang  wrote:
>>
>> > On Tue, 20 Dec 2016, Dmitriy Kalinin via rsyslog wrote:
>> >
>> > Hello,
>> >>
>> >> Due to a recent memory leak problem (https://github.com/
>> >> cloudfoundry/bosh/issues/1537) in one of our envs, we had to revert
>> >> rsyslog
>> >> to an older version (8.22.0); however, we found out that apt
>> repository no
>> >> longer contained older versions. Would it be possible to keep older
>> >> versions so that apt-get install rsyslog=x works if such problems
>> arise in
>> >> future?
>> >>
>> >
>> > I think that this is a function of the PPA repository that it only keeps
>> > the most recent versions available.
>> >
>> > David Lang
>> >
>> ___
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
>
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] keeping prev versions in apt repository

2016-12-20 Thread Rainer Gerhards 
As far as I could see, files seem to be available somewhere, but they are
not indexed.

If you can tell me what to enable in Launchpad to provide older build, I am
happy to enable that. But I do not know yet how to do that (and if it is
possible at all...).

Rainer

Sent from phone, thus brief.

Am 20.12.2016 22:55 schrieb "Dmitriy Kalinin via rsyslog" <
rsyslog@lists.adiscon.com>:

> im not too familiar with what kind of facilities launchpad provides but i
> would imagine they allow users to keep history.
>
> On Tue, Dec 20, 2016 at 11:43 AM, David Lang  wrote:
>
> > On Tue, 20 Dec 2016, Dmitriy Kalinin via rsyslog wrote:
> >
> > Hello,
> >>
> >> Due to a recent memory leak problem (https://github.com/
> >> cloudfoundry/bosh/issues/1537) in one of our envs, we had to revert
> >> rsyslog
> >> to an older version (8.22.0); however, we found out that apt repository
> no
> >> longer contained older versions. Would it be possible to keep older
> >> versions so that apt-get install rsyslog=x works if such problems arise
> in
> >> future?
> >>
> >
> > I think that this is a function of the PPA repository that it only keeps
> > the most recent versions available.
> >
> > David Lang
> >
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] keeping prev versions in apt repository

2016-12-20 Thread Dmitriy Kalinin via rsyslog 
im not too familiar with what kind of facilities launchpad provides but i
would imagine they allow users to keep history.

On Tue, Dec 20, 2016 at 11:43 AM, David Lang  wrote:

> On Tue, 20 Dec 2016, Dmitriy Kalinin via rsyslog wrote:
>
> Hello,
>>
>> Due to a recent memory leak problem (https://github.com/
>> cloudfoundry/bosh/issues/1537) in one of our envs, we had to revert
>> rsyslog
>> to an older version (8.22.0); however, we found out that apt repository no
>> longer contained older versions. Would it be possible to keep older
>> versions so that apt-get install rsyslog=x works if such problems arise in
>> future?
>>
>
> I think that this is a function of the PPA repository that it only keeps
> the most recent versions available.
>
> David Lang
>
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] Assert Failure in imtcp.c?

2016-12-20 Thread Andrew Griffin via rsyslog 
I’m working setting up a syslog pipeline with rsyslog at the front, and I’m 
running in to an issue with rsyslogd core dumping when I try to start it.  
Debug log shows everything loading fine, then this:

4473.240773513:imtcp.c: nspoll.c:147 ISOBJ assert failure: invalid 
object type, expected 'netstrms' actual 'nspoll', cookie: BADEFEE
rsyslogd: nspoll.c:147: SetDrvrName: Assertion `0' failed.

Then it core dumps.  Is this a known issue?  I can provide a full debug log if 
necessary 

Andrew Griffin
  ETS / Integration Services
☏ 408-783-8348



smime.p7s
Description: S/MIME cryptographic signature
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] keeping prev versions in apt repository

2016-12-20 Thread David Lang 

On Tue, 20 Dec 2016, Dmitriy Kalinin via rsyslog wrote:


Hello,

Due to a recent memory leak problem (https://github.com/
cloudfoundry/bosh/issues/1537) in one of our envs, we had to revert rsyslog
to an older version (8.22.0); however, we found out that apt repository no
longer contained older versions. Would it be possible to keep older
versions so that apt-get install rsyslog=x works if such problems arise in
future?


I think that this is a function of the PPA repository that it only keeps the 
most recent versions available.


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Potential memory leak in rsyslog v 8.23.0

2016-12-20 Thread David Lang 
there was a report a few days ago that failed outbound TCP connections leak 
memory. Someone was running in an environment where the recipient was cutting 
the connections frequently and they were seeing a slight, but steady increase in 
memory use as a result.


David Lang

On Tue, 20 Dec 2016, Rainer Gerhards wrote:


Date: Tue, 20 Dec 2016 17:17:09 +0100
From: Rainer Gerhards 
Reply-To: rsyslog-users 
To: rsyslog-users 
Subject: Re: [rsyslog] Potential memory leak in rsyslog v 8.23.0

It was not yet. My guess is that this bug is triggered by some
environment options. So we would need to find a way to reproduce the
issue or have a memory leak report (e.g. vial valgrind) from an
affected system.

Note that the testbench routinely checks for memory leaks, but
obviously we can cover only a small number of potential environments.

Rainer

2016-12-20 16:53 GMT+01:00 Adam Williams via rsyslog
:

We have deployed 8.23.0 to a utility server in our network and anecdotal
evidence (long-term records of memory use) indicate we have a gradually
rising memory consumption on the machine. The folks at CloudFoundry provide
more details about the leak
https://github.com/cloudfoundry/bosh/issues/1537#issuecomment-267339363
which suggests it is a real problem. I'm curious to know if this is on the
radar of the amazing rsyslog development team.

On Wed, Dec 14, 2016 at 4:53 PM, Shatarupa Nandi via rsyslog <
rsyslog@lists.adiscon.com> wrote:


Hello,

We are observing rsyslogd using an excessive amount of memory after bumping
from v 8.22.0 to v 8.23.0.

More info at: https://github.com/cloudfoundry/bosh/issues/1537

Any help is appreciated.

Thanks!
Rupa
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] keeping prev versions in apt repository

2016-12-20 Thread Dmitriy Kalinin via rsyslog 
Hello,

Due to a recent memory leak problem (https://github.com/
cloudfoundry/bosh/issues/1537) in one of our envs, we had to revert rsyslog
to an older version (8.22.0); however, we found out that apt repository no
longer contained older versions. Would it be possible to keep older
versions so that apt-get install rsyslog=x works if such problems arise in
future?

Thank you,
Dmitriy & BOSH team
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Potential memory leak in rsyslog v 8.23.0

2016-12-20 Thread Rainer Gerhards 
It was not yet. My guess is that this bug is triggered by some
environment options. So we would need to find a way to reproduce the
issue or have a memory leak report (e.g. vial valgrind) from an
affected system.

Note that the testbench routinely checks for memory leaks, but
obviously we can cover only a small number of potential environments.

Rainer

2016-12-20 16:53 GMT+01:00 Adam Williams via rsyslog
:
> We have deployed 8.23.0 to a utility server in our network and anecdotal
> evidence (long-term records of memory use) indicate we have a gradually
> rising memory consumption on the machine. The folks at CloudFoundry provide
> more details about the leak
> https://github.com/cloudfoundry/bosh/issues/1537#issuecomment-267339363
> which suggests it is a real problem. I'm curious to know if this is on the
> radar of the amazing rsyslog development team.
>
> On Wed, Dec 14, 2016 at 4:53 PM, Shatarupa Nandi via rsyslog <
> rsyslog@lists.adiscon.com> wrote:
>
>> Hello,
>>
>> We are observing rsyslogd using an excessive amount of memory after bumping
>> from v 8.22.0 to v 8.23.0.
>>
>> More info at: https://github.com/cloudfoundry/bosh/issues/1537
>>
>> Any help is appreciated.
>>
>> Thanks!
>> Rupa
>> ___
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Potential memory leak in rsyslog v 8.23.0

2016-12-20 Thread Adam Williams via rsyslog 
We have deployed 8.23.0 to a utility server in our network and anecdotal
evidence (long-term records of memory use) indicate we have a gradually
rising memory consumption on the machine. The folks at CloudFoundry provide
more details about the leak
https://github.com/cloudfoundry/bosh/issues/1537#issuecomment-267339363
which suggests it is a real problem. I'm curious to know if this is on the
radar of the amazing rsyslog development team.

On Wed, Dec 14, 2016 at 4:53 PM, Shatarupa Nandi via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> Hello,
>
> We are observing rsyslogd using an excessive amount of memory after bumping
> from v 8.22.0 to v 8.23.0.
>
> More info at: https://github.com/cloudfoundry/bosh/issues/1537
>
> Any help is appreciated.
>
> Thanks!
> Rupa
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] omfile.rst documentation

2016-12-20 Thread mostolog--- via rsyslog 

Hi


Reviewing omfile documentation 
https://github.com/rsyslog/rsyslog-doc/blob/master/source/configuration/modules/omfile.rst


It states:

-  **$F$OMFileForceCHOwn** equivalent to the "ForceChOwn" parameter
-  **$ActionFileEnableSync** equivalent to the "enableSync" parameter

There's a typo in /$F$OMFileForceCHOwn/ ?

I'm not able to find /forceChOwn/ or /enableSync/ parameters.

Thanks.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] liblognorm segfault ?

2016-12-20 Thread Benoit DOLEZ 
Perhaps the same problem than thread "segfault using mmexternal" when 
using syntax "@syslog".


Benoit


Le 20/12/2016 à 12:00, Rainer Gerhards a écrit :

I don't think I can look at this before the holiday break. So an issue
tracker might be useful.

Rainer

2016-12-20 11:59 GMT+01:00 mostolog--- via rsyslog :

ping?




Hi

Having more problems with liblognorm. Let me now if I should open an
issue.

echo "a" | /usr/lib/lognorm/lognormalizer -r a.rb

Segmentation fault (core dumped)

File:

version=2

#foo

type=@rfc3164pri:<%priority:number%>
type=@rfc3164header:%date:date-rfc3164% %hostname:word%
type=@rfc3164tag:%syslogtag:char-to{"extradata":":"}%:
type=@rfc3164:%.:@rfc3164pri%%.:@rfc3164header% %.:@rfc3164tag%
type=@rfc3164:%.:@rfc3164header% %.:@rfc3164tag%
type=@syslog:%.:@rfc3164%

#bar
#
#it complains liblognorm error: rulebase file a.rb[23]: invalid
record type detected: ']%'
#if written this way:
#  {"type":"rest","name":"message"}
#]%
# Theres a blank line at the end of file
rule=:%[
  {"type":"@syslog","name":"a"},
  {"type":"rest","name":"message"}]%

Regards



___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.



--
Benoit DOLEZ, POM Monitoring, http://www.pom-monitoring.com/
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] liblognorm vs grok

2016-12-20 Thread mostolog--- via rsyslog 

Just created https://github.com/rsyslog/liblognorm/issues/236


El 20/12/16 a las 11:58, mosto...@gmail.com escribió:

El 20/12/16 a las 11:55, Rainer Gerhards escribió:

2016-12-20 11:54 GMT+01:00 mostolog--- via rsyslog:

Must first line be...

"version=2" (v lowercase)

this, 
seehttp://www.liblognorm.com/files/manual/configuration.html#rulebase-versions

Already did, but it's still failing, that's why I'm asking

version=2

rule=:%[
{"type":"alternative","parser":[
{"type":"literal", "text":"a"}
]},
{"type":"literal", "text":"a"}
]%

echo "a" | /usr/lib/lognorm/lognormalizer -r
/etc/rsyslog.d/apps/rb/_a.rb
liblognorm error: rulebase file /etc/rsyslog.d/apps/rb/_a.rb[8]:
invalid record type detected: ']%'
{ "originalmsg": "a", "unparsed-data": "a" }




Rainer


or

"Version=2" (V uppercase)

?

El 14/12/16 a las 10:44,mosto...@gmail.com  escribió:


El 07/12/16 a las 21:00, Rainer Gerhards escribió:

I'm getting /invalid field type 'alternative'/ when using it. Any ideas?

rule=test:%[
{"type":"alternative","parser":[
{"type":"literal","text":"-"},
{"type":"word","name":"identd"}
 ]}
]%

no idea
Did you Set Version=2 in the First line?

Yes.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Followhttps://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.




___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] liblognorm segfault ?

2016-12-20 Thread Rainer Gerhards 
I don't think I can look at this before the holiday break. So an issue
tracker might be useful.

Rainer

2016-12-20 11:59 GMT+01:00 mostolog--- via rsyslog :
> ping?
>
>
>
>> Hi
>>
>> Having more problems with liblognorm. Let me now if I should open an
>> issue.
>>
>> echo "a" | /usr/lib/lognorm/lognormalizer -r a.rb
>>
>> Segmentation fault (core dumped)
>>
>> File:
>>
>> version=2
>>
>> #foo
>>
>> type=@rfc3164pri:<%priority:number%>
>> type=@rfc3164header:%date:date-rfc3164% %hostname:word%
>> type=@rfc3164tag:%syslogtag:char-to{"extradata":":"}%:
>> type=@rfc3164:%.:@rfc3164pri%%.:@rfc3164header% %.:@rfc3164tag%
>> type=@rfc3164:%.:@rfc3164header% %.:@rfc3164tag%
>> type=@syslog:%.:@rfc3164%
>>
>> #bar
>> #
>> #it complains liblognorm error: rulebase file a.rb[23]: invalid
>> record type detected: ']%'
>> #if written this way:
>> #  {"type":"rest","name":"message"}
>> #]%
>> # Theres a blank line at the end of file
>> rule=:%[
>>   {"type":"@syslog","name":"a"},
>>   {"type":"rest","name":"message"}]%
>>
>> Regards
>>
>
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] liblognorm segfault ?

2016-12-20 Thread mostolog--- via rsyslog 

ping?



Hi

Having more problems with liblognorm. Let me now if I should open an 
issue.


echo "a" | /usr/lib/lognorm/lognormalizer -r a.rb

Segmentation fault (core dumped)

File:

version=2

#foo

type=@rfc3164pri:<%priority:number%>
type=@rfc3164header:%date:date-rfc3164% %hostname:word%
type=@rfc3164tag:%syslogtag:char-to{"extradata":":"}%:
type=@rfc3164:%.:@rfc3164pri%%.:@rfc3164header% %.:@rfc3164tag%
type=@rfc3164:%.:@rfc3164header% %.:@rfc3164tag%
type=@syslog:%.:@rfc3164%

#bar
#
#it complains liblognorm error: rulebase file a.rb[23]: invalid
record type detected: ']%'
#if written this way:
#  {"type":"rest","name":"message"}
#]%
# Theres a blank line at the end of file
rule=:%[
  {"type":"@syslog","name":"a"},
  {"type":"rest","name":"message"}]%

Regards



___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] liblognorm vs grok

2016-12-20 Thread Rainer Gerhards 
2016-12-20 11:54 GMT+01:00 mostolog--- via rsyslog :
> Must first line be...
>
> "version=2" (v lowercase)

this, see 
http://www.liblognorm.com/files/manual/configuration.html#rulebase-versions

Rainer

>
> or
>
> "Version=2" (V uppercase)
>
> ?
>
> El 14/12/16 a las 10:44, mosto...@gmail.com escribió:
>
>> El 07/12/16 a las 21:00, Rainer Gerhards escribió:
>>>
>>>
 I'm getting /invalid field type 'alternative'/ when using it. Any ideas?

rule=test:%[
{"type":"alternative","parser":[
{"type":"literal","text":"-"},
{"type":"word","name":"identd"}
 ]}
]%
>>>
>>> no idea
>>> Did you Set Version=2 in the First line?
>>
>> Yes.
>>
>
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] liblognorm vs grok

2016-12-20 Thread mostolog--- via rsyslog 

Must first line be...

"version=2" (v lowercase)

or

"Version=2" (V uppercase)

?

El 14/12/16 a las 10:44, mosto...@gmail.com escribió:

El 07/12/16 a las 21:00, Rainer Gerhards escribió:


I'm getting /invalid field type 'alternative'/ when using it. Any 
ideas?


   rule=test:%[
   {"type":"alternative","parser":[
   {"type":"literal","text":"-"},
   {"type":"word","name":"identd"}
]}
   ]%

no idea
Did you Set Version=2 in the First line?

Yes.



___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.