TCP syslog and improper line breaks

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: rgerhards

Google Ads


TCP syslog and improper line breaks

Postby korona_syn » Thu Jun 29, 2017 9:35 pm

I have a setup where there is a pair of rsyslog servers receiving messages from a load balancer via TCP 514.

With SYSLOG configured to use UDP, each SYSLOG message from the LB is transmitted in each packet. The resulting log looks fine with one message in each line. With SYSLOG configured to use TCP, their are multiple message from the LB in each packet, these messages are concatenated with as much as that one packet can handle.

The resulting file is a mess because it seems like the line breaks are not respected and there is one massive line with multiple messages.

I've also noticed that in the log file when TCP is used there is the following, where a line break should occur, "#000". My assumption is that a template should resolve this (and am currently researching/learning this portion) however I still worry that even with a template there could be some data missing due to the lb filling up the packet with what it can and placing the remaining information in the subsequent packet.

In looking at a packet trace there is no actual #000 its just a blank space. This makes me wonder if rsyslog simply replaces that space with #000 because it doesnt know what else to do.

In troubleshooting I've stripped down the config to barebones and am currently only using the following which (for UDP at least) meets my needs:

# Default Settings

# Load Modules
module(load="imudp")
module(load="imtcp")
module(load="imuxsock")

# rsyslog Templates

# rsyslog Input Modules
input(type="imudp"
port="514")
input(type="imtcp"
port="514")

# rsyslog RuleSets
# Default RuleSet
if $fromhost-ip == "192.168.243.254" then {
action(type="omfile"
File="/var/log/lsn_lq")
}

Thank you in advance for the help. Even with the troubles I'm finding rsyslog to be a really great tool and am enjoying the learning process.
korona_syn
New
 
Posts: 1
Joined: Thu Jun 29, 2017 9:14 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Google Ads


Return to Configuration

Who is online

Users browsing this forum: No registered users and 1 guest

cron