MonitorWare Knowledge Base

by **trefalgar** on Thu Sep 25, 2008 4:11 pm

It's pretty obvious rsyslog enforces the RFCs far more than the stock syslogd or syslog-ng, and I have a question about that enforcement.

What does rsyslog do with a message that doesn't have a syslogtag? The messages I receive successfully have tags:

"SRS:" tag: Sep 25 15:15:01 ncc5-blade1 SRS: PeriodicStats:1

The messages I don't receive have no tag:

"NULL" tag: Sep 25 10:15:06 tst5-jbs-01 PeriodicStats:1

Is it just a matter of checking to see if %syslogtag% is empty, and define a new template, or is this enforcement not something I can work around?

Learn more about rsyslog professional services.

Custom written rsyslog.conf?
Maintenance Contract?
Installation support?

by **rgerhards** on Thu Sep 25, 2008 4:14 pm

Hi,

I don't fully understand the question. Are the samples the actual messages as can be seen on the wire?

In any case, I guess you can find the answer to your question by reading this: http://www.rsyslog.com/doc-syslog_parsing.html

Rainer

by **trefalgar** on Thu Sep 25, 2008 4:39 pm

Actually, I just figured out the problem. In the messages that aren't sent with a tag, the "msg" begins with:

PeriodicStats:1<snip>:1

rsyslog is taking "PeriodicStats:" and making that into the tag, so my filters in the configuration file aren't working since they're looking for "Peridoic" in msg, not syslogtag. Now I just have to figure out how to remove the space between the syslogtag and the rest of the message, so it doesn't break my other parsers that read in all the garbage!

by **rgerhards** on Thu Sep 25, 2008 4:58 pm

It that space is inside the logfile, you can simply create a new template which does not have that space inside it.

by **trefalgar** on Thu Sep 25, 2008 5:05 pm

I'd agree, but ...

%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%

There's no space in the default template, so it's being added somewhere by rsyslog, as it's not part of the message being sent. It converts:

PeriodicStats:1<snip>:1

Into:

PeriodicStats: 1<snip>:1

So while there's no space between %syslogtag% and %msg%, there must be a space appended to %syslogtag% or front loaded to %msg%

by **rgerhards** on Thu Sep 25, 2008 5:08 pm

well... The sp-if-no-1st-sp option adds a space if the string does not start with a space

Probably this is the source of it. I suggest to remove it.

by **trefalgar** on Thu Sep 25, 2008 5:10 pm

Oh *grin*. Well then ... :oops:

I shall give it a go!

by **rgerhards** on Thu Sep 25, 2008 5:18 pm

You might find this thread interesting: http://lists.adiscon.net/pipermail/rsys ... 00893.html - not a necessary read, but it tells why this option exists and also shows some of the complexities of correctly parsing messages

MonitorWare Knowledge Base

Empty syslogtag

Empty syslogtag

Professional Services Information

Learn more about rsyslog professional services.

Re: Empty syslogtag

Re: Empty syslogtag

Re: Empty syslogtag

Re: Empty syslogtag

Re: Empty syslogtag

Re: Empty syslogtag

Re: Empty syslogtag

Google Ads

Who is online