MonitorWare Knowledge Base

Hi,

I'm just upgrading to Fedora 10, and rsyslog is now the default syslog daemon.
The current version is 3.21.9-2.fc10. I'm trying to migrate a syslog-ng
configuration, and so far I like the approach in rsyslog.

However, one of my filter expressions was giving me strange results, so I broke
it down into the following snippet whose behavior I cannot understand:

$template CronFormat,"%timereported% %HOSTNAME% %syslogtag% [cronrule %syslogseverity-text% %syslogseverity%]%msg:::sp-if-no-1st-sp%%msg%\n"

if ($syslogfacility-text == 'cron') and ($syslogseverity <= 4) \
then -/var/log/messages;CronFormat

This is the only action that uses the CronFormat template. I cannot understand why I am
seeing entries like these in /var/log/messages:

Feb 11 20:50:01 ti82 CROND[12005]: [cronrule info 6] (root) CMD (/usr/lib/sa/sa1 -d 1 1)

The template for the message shows us quite clearly that the syslogseverity value
is 6, and the filter expression is supposed to limit us to messages where the severity
is <= 4. So why does this message appear? Is this a bug in the filter expression
evaluator? Should I try building a different version of rsyslog? Or am I just confused
and not understanding how this stuff is supposed to work?

Thanks in advance for any help you can provide,
Andy

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

FYI, I just built 3.20.4, and I am seeing the same behavior.

Regards,
Andy

Hi Andy,

could you provide a debug log while such a message is being processed? That would probably give more insight.

Details here: http://www.rsyslog.com/doc-debug.html

Rainer

Hi Rainer,

Sure, no problem. I hope I did this the right way.

I ran this command: rsyslogd -c3 -dn > /tmp/rsyslog.log
And then I used the "logger" command to inject a test message to demonstrate the problem,
like so:
logger -p cron.info this is a fake cron message

I am attaching the log file, as well as rsyslog.conf.

I'm aware that it's probably not a good idea to have multiple actions that use the same file,
but I did this in order to debug the problem (originally there was one big expression for
/var/log/messages).

Actually, I am strangely unable to upload attachments. Each time I try (using firefox 3.0.6 running
on linux), I get an error says "The extension XXX is not allowed", where XXX is whatever
extension I happened to try (such as txt or log or dbg). I feel very stupid. I tried
a filename with no extension at all, but it will still not accept it. Can anybody offer guidance
on how to send an attachment? I must be doing something incredibly dumb...
Or is there somewhere I can email the 2 files?

Thanks for your help,
Andy

P.S. I really like the "discard" feature. That was a great idea.

Just mail me at rgerhards@gmail.com, but drop me a note you have done so here at the forum. I haven't checked, but I think almost all attachments are turned off to prevent spread of warez and malware...

Rainer

Hi Rainer,

I just emailed you the files.

Thanks for your help,
Andy

Andy,

I was dragged in a bit project (quite unexpected), will look at them ASAP, but it may be I can't manage before next week. Will try my best...

Rainer

Hi Rainer,

That's no problem. I suppose I could always debug the code myself, but I'm not
feeling that energetic. For now, we are falling back to syslog-ng.

Regards,
Andy

FYI, I reported this problem to Redhat bugzilla here:

https://bugzilla.redhat.com/show_bug.cgi?id=485937

and they suggest a workaround of putting quotes around the numeric constant
being compared. I guess there's a problem with the implicit type conversions.

Regards,
Andy

I got a patch from red hat, that is now integrated (but not yet released), looks like it is exactly *that* issue - didn't make the connection, when I got the patch, sorry for that...

Rainer