MonitorWare Knowledge Base

tshark ->
359.658047 172.31.0.19 -> 172.25.2.155 Syslog LOCAL7.DEBUG: 09/15/2008:22:56:35 GMT ns 514716 <snip>

logfile output ->
Sep 15 21:50:47 09/15/2008: 22:56:35 GMT ns 514716 <snip>

Where'd the hostname go? We're having no other problems from any other host device. Additionally, this problem didn't exist until I moved to rsyslog.

Any suggestions?

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

The syslog message is horribly malformed. The date is totally invalid and at the location where the hostname should be (see RFC 3164 for reference). Thus the parser has nothing that is a clear indication of which field is what. However, I see that the date includes a slash, so I may be able to modify the parser to detect the invalid hostname. Then, however, it still mistakes it for TAG and there is no logic that can prevent this. Any chance that the message originator gets fixed?

If you just need the hostname, you can use %fromhost% instead of %hostname% (which the default template uses). Fromhost is the system we received the message from. For details, see http://www.rsyslog.com/doc-property_replacer.html

HTH
Rainer

The device sending the message is a large company load balancer. There's not a damn thing I can do about them not following RFCs

Thanks, I'll try %fromhost% and see what I can break.

Evil, I can't remove my stupid post. I realized that yes, %fromhost% is used in a template.

Now I just need to figure out if I can apply a template to a single host

I removed the post

To apply a template only for a specific host, you need to filter based on this host. See the rsyslog.conf description, search for filters

Rainer

Thanks for the tips, Rainer. I ended up with:

Code: Select all

$template acme, "%TIMESTAMP% %FROMHOST% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
:hostname, isequal, "" -/var/log/ncolog; acme
:hostname, isequal, "" -/var/log/ncolog ~


But it's not working, hostname is set to something, even though it's not valid (I thought it was NULL). I'll figure it out

Thanks again.

Yes, as I said, it is misinterpreting the hostname because of the invalid message format. But why not use fromhost in the filter?

Oh... and I see the misunderstanding. There always was a hostname present. I guess it is some part of the date. Rsyslog is simply using what it is told as the hostname. And as the message is not correctly formatted, that information is wrong. If rsyslog would be able to detect that the hostname provided can not be a hostname, it would itself not have used that value.