MonitorWare Knowledge Base

I've just installed rsyslog 1.10.2 and am having a problem with messages from our windows machines. We've installed syslogNT to forward event log messages to syslog, and it worked fine with the stock syslog. However, rsyslog omits the hostnames. I've tried with no template and with the example TraditionalFormat, but both log without the hostname. I don't have this problem with messages sent from unix machines.

Any ideas?

Thanks.

Bill

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

Bill, I think that stems back to a non-RFC 3164 compliant message format sent by syslogNT. rsyslog uses RFC 3164 compliant parsing to support relay chains and NAT. Thus it takes the sender name (only by default!) from the message - where it probably not is Stock syslogd instead uses the address/name of the system that sent the message (which is invalid in relay chains and NATed environments). To do the same, you can use the FROMHOST property in your template.

I hope that works for you.
Rainer

PS: as a side-note: I have a more capable parser on my todo list, one that probably can be provided parse template much like you currently can provide output templates. Such a parser would remove many of the problems currently existing with different sender applications.

Thanks for the help! This answers my question.

Another question. Here's a sample of the raw message from NTsyslog.

<155>Sep 30 11:17:23 winvnc4[error] 1 SConnection: AuthFailureException: Either the username was not recognised, or the password was incorrect

rsyslog misses the "winvnc4[error]" part of the message. I guess the parser is splitting on spaces, and after the datestamp calls the first field the hostname, the second the tag and the third the message? It would be very helpful for me to be able to configure the parser to handle the NTsyslog format, which is

datestamp eventLog[eventType] eventID message

I hate to say it, but... the parser is currently hard-coded to follow RFC 3164 (http://www.ietf.org/rfc/rfc3164.txt). There is no way to configure the parser itself (other than, of course, modfying the source). However, you can probably go ahead with the rawmsg property and the new regular expression support. That should do the trick.

Doc is available at http://www.rsyslog.com/index.php?module ... lacer.html

Rainer