The property msg contains a space as first character?

General discussions here

Moderator: rgerhards

Google Ads


The property msg contains a space as first character?

Postby syslogadmin2016 » Wed Nov 30, 2016 6:08 pm

Hello everybody,

I'm on a proyect where we have to define a template that forces a constant hostname and the adds the hostname to the tag, all this while keeping the fomat compliant with RFC5424.

It worked on my test server but then i tried a couple of machines and this is the result, I will use the tcpdump because it shows the spaces clearly. When I send from a centos7 to debian wheezy using this template:

Code: Select all
$template test2,"<%pri%>1 %timereported:::date-rfc3339% apache %hostname%@%syslogtag:R,ERE,0,DFLT:[^:]+--end% - - -%msg:::drop-last-lf%\n"


Code: Select all
16:10:01.513518 IP 192.168.0.1.39230 > 192.168.0.10.514: SYSLOG daemon.info, length: 104
   0x0000:  4500 0084 4d82 4000 4011 6b8b c0a8 0001  E...M.@.@.k.....
   0x0010:  c0a8 000a 993e 0202 0070 0c01 3c33 303e  .....>...p..<30>
   0x0020:  3120 3230 3136 2d31 312d 3330 5431 353a  1.2016-11-30T15:
   0x0030:  3130 3a30 312e 3630 3834 3237 2b30 303a  10:01.608427+00:
   0x0040:  3030 2061 7061 6368 6520 6c6f 6361 6c68  00.apache.localh
   0x0050:  6f73 7440 7379 7374 656d 6420 2d20 2d20  ost@systemd.-.-.
   0x0060:  2d53 7461 7274 696e 6720 5365 7373 696f  -Starting.Sessio
   0x0070:  6e20 3135 3420 6f66 2075 7365 7220 726f  n.154.of.user.ro
   0x0080:  6f74 2e0a                                ot..


Notice that there is no space after the third hyphen. Just when the message begins.

Now when i do the oposite using this template, that is essentialy the same.
Code: Select all
$template sistematest,"<%pri%>1 %timereported:::date-rfc3339% sistematest %hostname%@%syslogtag:R,ERE,0,DFLT:[^:]+--end% - - -%msg:::drop-last-lf%\n"


Code: Select all
15:27:00.885638 IP 192.168.0.10.54037 > 192.168.0.1.514: SYSLOG authpriv.info, length: 104
   0x0000:  4500 0084 f7ca 4000 4011 c142 c0a8 000a  E.....@.@..B....
   0x0010:  c0a8 0001 d315 0202 0070 c546 3c38 363e  .........p.F<86>
   0x0020:  3120 3230 3136 2d31 312d 3330 5431 363a  1.2016-11-30T16:
   0x0030:  3237 3a30 302e 3738 3136 3931 2b30 313a  27:00.781691+01:
   0x0040:  3030 2073 6973 7465 6d61 7465 7374 2064  00.sistematest.d
   0x0050:  6562 6961 6e40 7375 5b33 3835 305d 202d  ebian@su[3850].-
   0x0060:  202d 202d 2053 7563 6365 7373 6675 6c20  .-.-.Successful.
   0x0070:  7375 2066 6f72 2072 6f6f 7420 6279 2072  su.for.root.by.r
   0x0080:  6f6f 740a                                oot.


I you don't notice now there is a space after the third hyphen. And since the template does not have this space it must be something included in the proporty msg.

I hae to deploy this template to many linux machines (different versions and distros) and I don't know what beahaviour expect. Is the space in the msg property something included/deleted after any version? Is something related to distro?

Thanks a lot for the help.
syslogadmin2016
New
 
Posts: 3
Joined: Tue Oct 04, 2016 11:18 am

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: The property msg contains a space as first character?

Postby dlang » Wed Nov 30, 2016 11:07 pm

Unfortuantly, the $msg may or may not contain a space at the beginning, that is why there is the sp-if-no-1st-sp option exists, to clean this up.
so instead of:
Code: Select all
$template test2,"<%pri%>1 %timereported:::date-rfc3339% apache %hostname%@%syslogtag:R,ERE,0,DFLT:[^:]+--end% - - -%msg:::drop-last-lf%\n"

you need to do:
Code: Select all
$template test2,"<%pri%>1 %timereported:::date-rfc3339% apache %hostname%@%syslogtag:R,ERE,0,DFLT:[^:]+--end% - - -%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"


There is a message modification module being created that will allow you to strip the first space off of the message so you don't have to do this in the template, but that's not going to be available until 8.24
dlang
Frequent Poster
 
Posts: 1001
Joined: Mon Sep 15, 2008 7:44 am

Re: The property msg contains a space as first character?

Postby syslogadmin2016 » Fri Dec 02, 2016 10:53 am

Well I'm doing a custom template for all our machines so solving this problem in the template is exactly what I want. Now I can create a unique template for all servers.

A million thanks dlang, this completeley solves our problem.
syslogadmin2016
New
 
Posts: 3
Joined: Tue Oct 04, 2016 11:18 am

Google Ads



Return to General

Who is online

Users browsing this forum: No registered users and 2 guests

cron