Probably what is happening is that the thing that is generating the log message
is sending a malformed message
If you can spot anything common about the messages that act this way, setup a
debug log (format RSYSLOG_DebugFormat) and look at what the raw logs are and
what the parsed values are.
If it's happening frequently enough, just log everything to a file with that
format, and then look for the timestampe in that log and see what shows up.
David Lang
On Tue, 18 Jun 2013, Khushil Dep wrote:
Date: Tue, 18 Jun 2013 18:16:55 +0000
From: Khushil Dep <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: [rsyslog] Odd issue with source and source_host
Hey all,
My rsyslog config works 99% of the time ? which is great but the 1% is annoying
me :-)
I have the following configuration:
$ModLoad immark # provides --MARK-- message capability
$ModLoad imuxsock # provides support for local system logging (e.g. via
logger command)
$ModLoad imsolaris # kernel logging (imklog or imsolaris)
$ModLoad omrabbitmq # provides rabbitmq output
$ModLoad imudp.so # provides UDP syslog reception
$ModLoad imfile # provides FILE input
$UDPServerRun 514 # start a UDP syslog server at standard port 514
# Save all messages to /var/log/syslog for debug purposes too
*.* /var/log/syslog
$template
malefantJSON,"{%timestamp:::date-rfc3339,jsonf:@timestamp%,%source:::jsonf:@source%,%source:::jsonf:@source_host%,\"@message\":\"%msg:::json%\",\"@fields\":{%syslogfacility-text:::jsonf:facility%,%syslogseverity-text:::jsonf:severity%,%app-name:::jsonf:program%,%procid:::jsonf:processid%}}"
$RepeatedMsgReduction off
*.* action(type="omrabbitmq"
host="10.250.76.69"
virtual_host="/"
user="pump"
password="dump"
exchange="syslog"
routing_key="syslog.all"
template="malefantJSON")
Everyone now and then I get a date stamp in my SOURCE or SOURCE_HOST fields.
That does not make sense to me! :-)
--
Khushil Dep - Infrastructure Lead
MailOnline
@khushil
______________________________________________________________________
This e-mail and any attached files are intended for the named addressee only.
It contains information, which may be confidential and legally privileged and
also protected by copyright. Unless you are the named addressee (or authorised
to receive for the addressee) you may not copy or use it, or disclose it to
anyone else. If you received it in error please notify the sender immediately
and then delete it from your system. Please be advised that the views and
opinions expressed in this e-mail may not reflect the views and opinions of
Associated Newspapers Limited or any of its subsidiary companies. We make every
effort to keep our network free from viruses. However, you do need to check
this e-mail and any attachments to it for viruses as we can take no
responsibility for any computer virus which may be transferred by way of this
e-mail. Use of this or any other e-mail facility signifies consent to any
interception we might lawfully carry out to prevent abuse of these facil!
ities.
Associated Newspapers Ltd. Registered Office: Northcliffe House, 2 Derry St,
Kensington, London, W8 5TT. Registered No 84121 England.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
