if the sender doesn't break up the logs properly with TCP, there really isn't
anything you can do on the reciving end.
If you can get UDP working, then each UDP packet is a separate message.
Since you are running openwrt on the sending side, you could replace the default
logging software with rsyslog there to fix the log format.
David Lang
On Wed, 8 Jan 2025, Alberto via rsyslog wrote:
Date: Wed, 8 Jan 2025 15:25:37 +0100
From: Alberto via rsyslog <rsyslog@lists.adiscon.com>
To: 'rsyslog-users' <rsyslog@lists.adiscon.com>
Cc: Alberto <albe...@bersol.info>
Subject: [rsyslog] Remote log files without Line separator
Hi everybody:
I have a logserver in a Docker container with "oficial" image
(Rsyslog/syslog_appliance_alpine) running succesfully, and getting logs from
Physical hosts from my LAN and anothers Docker containers hosted locally.
I having a problem with a Router TP-Link with Openwrt system that is sending
logs to my Logserver. This is their configuration:
root@wrt:~# cat /etc/config/system
option hostname 'wrt'
option log_hostname 'wrt'
option zonename 'Europe/Madrid'
#option timezone 'UTC'
option timezone 'CET-1CEST,M3.5.0,M10.5.0/3'
option log_ip 'IP HOST LOGSERVER'
option log_port '514'
option log_proto 'tcp'
option log_remote '1'
option cronloglevel '0'
option conloglevel '8'
option klogconloglevel '8'
option log_prefix 'openwrt'
option log_size 64
#option buffersize 1024
option log_trailer_null \0
option log_file '/var/log/messages'
I've set TCP option because UDP isn't running (I don't know why).
Logserver receive their all logs in one line, without separate any line,
with this format:
.
openwrt: hostapd: wlan0: STA 1e:bf:ce:0c:54:a4 WPA: group key handshake
completed (RSN)openwrt: hostapd: wlan0: STA 20:57:9e:6e:24:6b WPA: group key
handshake completed (RSN)openwrt: hostapd: wlan0: STA 1e:bf:ce:0c:54:a4 WPA:
group key handshake completed (RSN)openwrt: hostapd: wlan0: STA
20:57:9e:6e:24:6b WPA: group key handshake completed (RSN)
.
With this template:
template(name="tFileFormatwrt" type="list") {
property(name="timereported" dateformat="year")
property(name="timereported" dateformat="month")
property(name="timereported" dateformat="day")
constant(value="-")
property(name="timereported" dateformat="hour")
constant(value=":")
property(name="timereported" dateformat="minute")
constant(value=":")
property(name="timereported" dateformat="second")
constant(value=" ")
#property(name="syslogtag")
property(name="app-name")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
And if I set Debug with this template:
template(name="tLogDEBUG" type="list") {
constant(value="Debug line with all properties:\nFROMHOST: '")
property(name="fromhost")
constant(value="'\nHOSTNAME: '")
property(name="hostname" caseConversion="lower")
constant(value="'\nPROGRAMNAME: '")
property(name="programname" caseConversion="lower")
constant(value="'\nFROMHOST-IP: '")
property(name="fromhost-ip" caseConversion="lower")
constant(value="'\nSYSLOGTAG: '")
property(name="syslogtag" caseConversion="lower")
constant(value="-")
constant(value="'\nAPP-NAME: '")
property(name="app-name" caseConversion="lower")
constant(value="'\nPROCID: '")
property(name="procid" caseConversion="lower")
constant(value="'\nMSGID: '")
property(name="msgid" caseConversion="lower")
constant(value="'\nINPUTNAME: '")
property(name="inputname" caseConversion="lower")
constant(value="'\nPRI: '")
property(name="pri")
constant(value="'\nSTRUCTURED-DATA: ")
property(name="structured-data")
constant(value="',\nMSG: '")
property(name="msg" controlcharacters="drop")
constant(value="',\nRAWMSG: '")
property(name="rawmsg")
constant(value="\n\n")
}
I receive in this format:
Debug line with all properties:
FROMHOST: '172.20.0.1'
HOSTNAME: '172.20.0.1'
PROGRAMNAME: 'openwrt'
FROMHOST-IP: '172.20.0.1'
SYSLOGTAG: 'openwrt:-'
APP-NAME: 'openwrt'
PROCID: '-'
MSGID: '-'
INPUTNAME: 'imtcp'
PRI: '13'
STRUCTURED-DATA: -',
MSG: ' logread[749]: Logread connected to 192.168.5.10:514openwrt: hostapd:
wlan0: STA 1e:bf:ce:0c:54:a4 WPA: group key handshake completed
(RSN)openwrt: hostapd: wlan1: STA 20:57:9e:6e:24:6b WPA: group key handshake
completed (RSN)openwrt: netifd: lan (885): Sending renew...openwrt: netifd:
lan (885): Lease of 192.168.5.11 obtained, lease time 3600openwrt: syslog: -
shutdown -',
RAWMSG: 'openwrt: logread[749]: Logread connected to
192.168.5.10:514openwrt: hostapd: wlan0: STA 1e:bf:ce:0c:54:a4 WPA: group
key handshake completed (RSN)openwrt: hostapd: wlan1: STA 20:57:9e:6e:24:6b
WPA: group key handshake completed (RSN)openwrt: netifd: lan (885): Sending
renew...openwrt: netifd: lan (885): Lease of 192.168.5.11 obtained, lease
time 3600openwrt: syslog: - shutdown -
I don't know how to save logs from this host, with the Line separator in
each real line, because source host don't look send it.
Any idea?
Thank you
Best Regards,
Alberto
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
