Drumm, Daniel wrote:
Is there a rsyslog Template that exists to take the data in this format and
log it? As you state, when rsyslogd gets a malformed message, or one with
fields additional to that it understands or knows, it will not log it at all,
will not write it to disk at all, not even a partial malformed log.
No, that is the opposite of what I stated.
When Rsyslog recieves a message, it attempts to parse the timestamp, fromhost,
and syslog tag out of it, and everything else is the string 'msg'. If the log is
not properly formatted, it may put the wrong things in these fields, but it will
put SOMETHING there (best effort) It also populates the filed 'rawmsg' with
whatever arrived.
it does not care if the msg field is CEF:whatever or 'the quick brown fox...'
you can then parse fields out of the message if you care to, but the msg and
rawmsg fields will be there no matter what.
If the message is longer than your configured maxmessagelength, you will get a
log message that is truncated at that length (and then, depending on the config,
either throw away the rest of the message, or split it at that point into a
second, malformed message containing the next maxmessagelength characters that
are sent)
but it will not just throw them away because it doesn't understand them.
I have seen the OS IP stack throw away UDP messages when they are extremely long
and get fragmented into multiple packets and some of the packets never arrive
due to congestion problems on the network, but that is an intermittent problem,
you would have some get through and others not (and it's been a long time since
I saw this because networks are now much faster than they used to be, so it's
far less common for a network to be that congested, but is still possible)
but the fact that you are seeing them via tcpdump would make it unlikely that
this is the problem.
Can you setup a test where the Palo Alto is only sending the traffic messages to
a test machine and setup a very trivial rsyslog config just writing it to a
file? we may end up wanting to get a debug log if it still fails there.
David Lang
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
