sorry for late reply. rawmsg was like this. rawmsg: '<14>1 2021-04-26T11:26:31.523+08:00 SRX340-01 RT_FLOW - RT_FLOW_SESSION_CREATE [[email protected] source-address="10.x.x.x" source-port="50721" destination-address="202.x.x.x" destination-port="443" connection-tag="0" service-name="junos-https" nat-source-address="x.x.x.x" nat-source-port="57037" nat-destination-address="202.x.x.x" nat-destination-port="443" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="source-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="trust-to-untrust" source-zone-name="trust" destination-zone-name="untrust" session-id-32="175626" username="N/A" roles="N/A" packet-incoming-interface="reth1.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" src-vrf-grp="N/A" dst-vrf-grp="N/A"]'
> you cut out the parts that we need to see to understand what's happening. > > we need the rawmsg field that you trimmed off. > > David Lang > > On Mon, 26 Apr 2021, [email protected] wrote: > > > Date: Mon, 26 Apr 2021 16:49:06 +0900 > > From: [email protected] > > To: David Lang <[email protected]> > > Cc: ca--- via rsyslog <[email protected]>, [email protected] > > Subject: Re: Re: [rsyslog] messages are truncated after "-" > > > > Thank you!! > > > > With RSYSLOG_DebugFormat template, I've got following. > > > > Debug line with all properties: > > FROMHOST: '10.x.x.x' > > fromhost-ip: '10.x.x.x' > > HOSTNAME: 'SRX-Hostname' > > PRI: 14, > > syslogtag 'RT_FLOW' > > programname: 'RT_FLOW' > > APP-NAME: 'RT_FLOW' > > PROCID: '-' > > MSGID: 'RT_FLOW_SESSION_CREATE', > > TIMESTAMP: 'Apr 26 11:00:00' > > STRUCTURED-DATA: '[[email protected] source-address=~(snipped)]', > > msg: '' > > escaped msg: '' > > > > Applying custom template(below) got a correct logs. > > $template srxlog,"%TIMESTAMP% %FROMHOST% %HOSTNAME% %APP-NAME% %MSGID% > > %STRUCTURED-DATA%\n" > > > > > > Thank you! > > > >> please log a message with the template RSYSLOG_DebugFormat so we can see > >> the raw > >> message and how it's parsed. > >> > >> David Lang > >> > >> On Mon, 26 Apr 2021, ca--- via rsyslog wrote: > >> > >>> Date: Mon, 26 Apr 2021 11:07:07 +0900 > >>> From: ca--- via rsyslog <[email protected]> > >>> To: rsyslog-users <[email protected]> > >>> Cc: [email protected] > >>> Subject: [rsyslog] messages are truncated after "-" > >>> > >>> Hi Experts > >>> > >>> I encountered strange behavior that rsyslog truncates message after "-". > >>> The log message sent from Juniper SRX firewall is like this. (I confirmed > >>> it with tcpdump) > >>> > >>> 2021-04-23T21:30:00.111.+00:00 SRX-HOSTNAME RT_FLOW - > >>> RT_FLOW_SESSION_CREATE [junos@~~~ > >>> > >>> But on the log file, I only got > >>> > >>> Apr 23 21:30:00 SRX-HOSTNAME RT_FLOW > >>> > >>> > >>> I thought wrong templates was applied, so added following > >>> > >>> $template srxlog,"%msg%\n" > >>> :&fromhost-ip, isequal, SRX-IP, /var/log/SRX-HOSTNAME.log > >>> > >>> But result was empty lines were logged on the file. > >>> > >>> Does anyone help this situation? > >>> _______________________________________________ > >>> rsyslog mailing list > >>> https://lists.adiscon.net/mailman/listinfo/rsyslog > >>> http://www.rsyslog.com/professional-services/ > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >>> DON'T LIKE THAT. > >>> > >> > > > _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
