Hi David, all,
Basically i redid the logging configuration with the bare minimum.
In my case:
logging origin-id hostname
logging facility syslog
logging host 10.150.0.7
I suspect that specifying multiple log levels to be forwarded, renders
this behavior.
Best,
Pedro
On Fri, Mar 22, 2024 at 9:14 PM David Lang <da...@lang.hm> wrote:
>
> good to hear, If you can identify what in the logging configuration was
> different that caused this problem, please post it to the list so that others
> can learn from it.
>
> David Lang
>
> On Fri, 22 Mar 2024, Pedro Caetano via rsyslog wrote:
>
> > Starting from a minimal configuration on the switch solved the issue.
> >
> > Thank you for your time and patience.
> >
> > Best,
> > Pedro Caetano
> >
> > On Thu, Mar 21, 2024 at 6:07 PM Pedro Caetano
> > <pedrocaet...@binaryflows.com> wrote:
> >>
> >> I'll strip the configuration to the bare minimum and report back.
> >>
> >> Thank you for your patience.
> >>
> >> Best,
> >> Pedro
> >>
> >> On Thu, Mar 21, 2024 at 1:29 PM David Lang <da...@lang.hm> wrote:
> >> >
> >> > ok, the rawmsg field is telling us that the body of the message sent by
> >> > the
> >> > device is a bunch of nonsense (control characters with a lot of nulls)
> >> >
> >> > so the problem is on the sending side, not on the rsyslog side, look at
> >> > your
> >> > options there..
> >> >
> >> > David Lang
> >> >
> >> > On Thu, 21 Mar 2024, Pedro Caetano via rsyslog wrote:
> >> >
> >> > > Date: Thu, 21 Mar 2024 12:34:43 +0000
> >> > > From: Pedro Caetano via rsyslog <rsyslog@lists.adiscon.com>
> >> > > To: rsyslog@lists.adiscon.com
> >> > > Cc: Pedro Caetano <pedrocaet...@binaryflows.com>
> >> > > Subject: [rsyslog] question: decoding cisco syslog messages using
> >> > > pmciscoios
> >> > >
> >> > > Hi,
> >> > >
> >> > > This is the output generated:
> >> > >
> >> > > Debug line with all properties:
> >> > > FROMHOST: '172.26.0.31', fromhost-ip: '172.26.0.31', HOSTNAME:
> >> > > '172.26.0.31', PRI: 43,
> >> > > syslogtag '', programname: '', APP-NAME: '-', PROCID: '-', MSGID: '-',
> >> > > TIMESTAMP: 'Mar 21 12:03:20', STRUCTURED-DATA: '-',
> >> > > msg: '<43>934417: SWPABB1ACCP01: [syslog@9 #000�#034#003H
> >> > > #017���#034#003H #017�#001#001L#001�#000#000�#0
> >> > > 34#003�
> >> > > #010�#001#001K#005�#000#000#001)#000#000�#001#000#000#000#000#000#000#000#000��#000#000#000#000�ͫ�#000#000#000#001#000#017#013�3#000#000#000#016#000#003#000#036#000#023#005�#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#00'
> >> > > escaped msg: '<43>934417: SWPABB1ACCP01: [syslog@9 #000�#034#003H
> >> > > #017���#034#003H #017�#001#001L#001�#000#000�#034#003�
> >> > > #010�#001#001K#005�#000#000#001)#000#000�#001#000#000#000#000#000#000#000#000��#000#000#000#000�ͫ�#000#000#000#001#000#017#013�3#000#000#000#016#000#003#000#036#000#023#005�#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#00'
> >> > > inputname: imtcp rawmsg: '<43>934417: SWPABB1ACCP01: [syslog@9
> >> > > #000�#034#003H #017���#034#003H #017�#001#001L#001�#000#000�#034#003�
> >> > > #010�#001#001K#005�#000#000#001)#000#000�#001#000#000#000#000#000#000#000#000��#000#000#000#000�ͫ�#000#000#000#001#000#017#013�3#000#000#000#016#000#003#000#036#000#023#005�#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000'
> >> > > $!:
> >> > > $.:
> >> > > $/:
> >> > >
> >> > >
> >> > >
> >> > >
> >> > > Below is the configuration in place:
> >> > >
> >> > > $DebugFile /var/log/rsyslogdebug.log
> >> > > $DebugLevel 2
> >> > >
> >> > > template(name="RSYSLOG_DebugFormat" type="list") {
> >> > > constant(value="Debug line with all properties:\nFROMHOST: '")
> >> > > property(name="fromhost")
> >> > > constant(value="', fromhost-ip: '")
> >> > > property(name="fromhost-ip")
> >> > > constant(value="', HOSTNAME: '")
> >> > > property(name="hostname")
> >> > > constant(value="', PRI: '")
> >> > > property(name="pri")
> >> > > constant(value=",\nsyslogtag '")
> >> > > property(name="syslogtag")
> >> > > constant(value="', programname: '")
> >> > > property(name="programname")
> >> > > constant(value="', APP-NAME: '")
> >> > > property(name="app-name")
> >> > > constant(value="', PROCID: '")
> >> > > property(name="procid")
> >> > > constant(value="', MSGID: '")
> >> > > property(name="msgid")
> >> > > constant(value="',\nTIMESTAMP: '")
> >> > > property(name="timereported")
> >> > > constant(value="', STRUCTURED-DATA: '")
> >> > > property(name="structured-data")
> >> > > constant(value="',\nmsg: '")
> >> > > property(name="msg")
> >> > > constant(value="'\nescaped msg: '")
> >> > > property(name="msg" controlcharacters="drop")
> >> > > constant(value="'\ninputname: ")
> >> > > property(name="inputname")
> >> > > constant(value=" rawmsg: '")
> >> > > property(name="rawmsg")
> >> > > constant(value="'\n$!:")
> >> > > property(name="$!")
> >> > > constant(value="\n$.:")
> >> > > property(name="$.")
> >> > > constant(value="\n$/:")
> >> > > property(name="$/")
> >> > > constant(value="\n\n")
> >> > > }
> >> > >
> >> > >
> >> > >
> >> > > #Modules
> >> > > module(load="imtcp")
> >> > > module(load="pmciscoios")
> >> > >
> >> > > #Inputs
> >> > > input(type="imtcp" port="20514" ruleset="rsyslogswitchs")
> >> > >
> >> > > #Parsers
> >> > > parser(name="custom.ciscoios.withOrigin" type="pmciscoios"
> >> > > present.origin="on")
> >> > >
> >> > >
> >> > > #Rules
> >> > > ruleset(name="rsyslogswitchs" parser="custom.ciscoios.withOrigin"){
> >> > > *.* /var/log/remote-syslog/testesw3.log;RSYSLOG_DebugFormat
> >> > > }
> >> > >
> >> > > Best,
> >> > > Pedro
> >> > > _______________________________________________
> >> > > rsyslog mailing list
> >> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > > http://www.rsyslog.com/professional-services/
> >> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >> > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> >> > > if you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> > LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
