MonitorWare Knowledge Base

I have a Linux machine running rsyslog 3.18.1. I also have several piece of Cisco equipment that like to send syslog messages that look like this:

"<130> [ERROR] iapp_socket_task.c 399: iappSocketTask: iappRecvPkt returned error"

I believe the space between the "<130>" and the "[ERROR]" is causing rsyslog to erroneously believe that the packet had been forwarded from another system. The entry shows up like this in my /var/log/messages:

"Sep 21 07:00:47 [ERROR] iapp_socket_task.c 399: iappSocketTask: iappRecvPkt returned error"

You may not be able to see it but there are two spaces between "47" and "[ERROR]".

Is there any way to get rsyslog to log this properly? (i.e. insert the remote host between the two spaces)

To give you an easier way to recreate the problem, I wrote this program:

---
#include <syslog.h>
#include <sys/socket.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>

int main(int argc, char **argv)
{
char *logname = "/dev/log";
struct sockaddr suxaddr;
int sock = socket(PF_FILE, SOCK_DGRAM, 0);
fcntl(sock, F_SETFD, FD_CLOEXEC);
suxaddr.sa_family = AF_FILE;
strcpy(suxaddr.sa_data ,logname);
connect(sock, &suxaddr, sizeof(suxaddr));
char *message = "<186> [WARNING] apf_80211.c 4215: Notification from AP";
send(sock, message, strlen(message), MSG_NOSIGNAL);
return(0);
}
---

Thanks

Jason Duerstock
Gallaudet University

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

FYI: I am working on a reply. Asked too often, now do an elaborate answer. Hope to have it by evening local time here.

OK, here is cause and solution

http://www.rsyslog.com/doc-syslog_parsing.html

HTH
Rainer