[rsyslog] Replacing newlines in incoming messages
Hello, Using rsyslog 7.4.7. Once in a while, some equipment sends a message which includes newline chars into our central syslog server. This disturbs my filtering of /var/ log/messages. Can rsyslog be configured to replace incoming newline characters with another character, such as a space? -- Regards, Troels Arvin http://troels.arvin.dk/ ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Replacing newlines in incoming messages
Hello, Rainer Gerhards wrote: > I think what happens here is that the message > is sent via TCP syslog, and there LF is the *frame delimitor*. So we > actually have a protocol error in this case - the LF indicates that a > new message begins. As such, it is not part of the message itself. [...] I don't know whether TCP is being used. But after having looked more closely, it seems like it might be the server's own snmptrapd which is relaying traps which include newlines. So one might argue that I should look for a solution within snmptrapd: But it would be nice with a solution which makes sure that rsyslog never places a newline in /var/log/messages -- except as a message delimiter, of course. -- Regards, Troels Arvin http://troels.arvin.dk/ ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Replacing newlines in incoming messages
Hello Rainer, You wrote: > Pls read my previous message carefully: I think the LF *is* the message > delimiter. I've read it again, but I probably just don't understand your point. I should an example from /var/log/messages: == 2015-03-09T11:16:18.569746+01:00 2015-03-09T11:16:18.569746+01:00 monsrv 127.0.0.1 snmptrapd[2446]: 2015-03-09 11:16:18 [UDP: [192.168.x.x]:58378->[192.168.y.y]:162] (via 192.168.x.x [192.168.x.x]): VMWARE-PRODUCTS-MIB::vmwVC Enterprise Specific Trap (6.203) Uptime: 24 days, 19:15:06.43 VMWARE-PRODUCTS-MIB::vmwVC.308.0 = INTEGER: 2 VMWARE-PRODUCTS-MIB::vmwVC.304.0 = STRING: "Yellow" VMWARE-PRODUCTS- MIB::vmwVC.305.0 = STRING: "Red"VMWARE-PRODUCTS-MIB::vmwVC.306.0 = STRING: "alarm.StorageConnectivityAlarm - Event: Lost Storage Connectivity (38454177) Summary: Lost connectivity to storage device naa.60060e80104d77f004f346870002. Path vmhba3:C0:T5:L2 is down. Affected datastores: Unknown. Date: 06-03-2015 08:55:39 Host: vm1.somedomain.dk Resource pool: myclus Data center: myclus Arguments: eventTypeId = esx.problem.storage.connectivity.lost objectId = host-102863 objectName = vm1.somedomain.dk 1 = naa.60060e80104d77f004f346870002 2 = vmhba3:C0:T5:L2 3 = Unknown OR Event: Lost Storage Connectivity (38454177) Summary: Lost connectivity to storage device naa.60060e80104d77f004f346870002. Path vmhba3:C0:T5:L2 is down. Affected datastores: Unknown. Date: 06-03-2015 08:55:39 Host: vm1.somedomain.dk Resource pool: myclus Data center: myclus Arguments: eventTypeId = esx.problem.storage.connectivity.lost objectId = host-102863 objectName = vm1.somedomain.dk 1 = naa.60060e80104d77f004f346870002 2 = vmhba3:C0:T5:L2 3 = Unknown OR Event: Lost Storage Connectivity (38454177) Summary: Lost connectivity to storage device naa.60060e80104d77f004f346870002. Path vmhba3:C0:T5:L2 is down. Affected datastores: Unknown. Date: 06-03-2015 08:55:39 Host: vm1.somedomain.dk Resource pool: myclus Data center: myclus Arguments: eventTypeId = esx.problem.storage.connectivity.lost objectId = host-102863 objectName = vm1.somedomain.dk 1 = naa.60060e80104d77f004f346870002 2 = vmhba3:C0:T5:L2 3 = Unknown " VMWARE-PRODUCTS-MIB::vmwVC.307.0 = STRING: "vm1.somedomain.dk" == The reason that there are two timestamps in the beginning of the message is that I've configured rsyslog record both the timestamp received from the logger and the timestamp on the syslog server itself (sometimes, we receive messages from equipment where the clock is way off). -- Regards, Troels Arvin http://troels.arvin.dk/ ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Replacing newlines in incoming messages
Hello, Rainer Gerhards wrote: > Before we did down, please let me know via which way this message is > received. Environment: RHEL 7.1. The message came from the server's snmptrapd service. In other words: snmptrapd and syslog-daemon are residing on the same host. A tcpdump reveals that the snmptrapd->syslog communication happens via UDP. -- Regards, Troels Arvin http://troels.arvin.dk/ ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
