[rsyslog] Rsyslog template

Discussion:

Avihu Hagag via rsyslog

2018-10-24 03:49:28 UTC

Hi guys,

I hope this the right forum.
I’ve created a template in rsyslog to take each output over UDP to different log file by host name.
Im having a small issue, when im testing netconsole and im crashing one of the machine by “ echo c > /proc/sysrq-trigger” its redirecting the all output to correct file except for what there’s in “Call trace” after “code”, and creating different file for each output after “code” in “Call trace”

This the output in “Call trace” after code:
“00 01 04 05 0f 1f 25 31 34 39 41 44 45 47 48 4c 55 5d 65 75 81 89 9b NULL PMD PUD SMP Trigger ae be c0 c3 c7 db e2 e5 e8 eb ef f4 f7 f8 ff”

And I don’t know why but its creating for each one in this output different fine.

Here’s my rsyslog configuration:
$template RemoteHost,"/var/syslog/hosts/%HOSTNAME%.log"

$RuleSet remote
*.* ?RemoteHost

All the other outputs are stored correctly in files.
Somehow rsyslog think that each one of this word is a hostname.

Please advise.

Get Outlook for iOS<https://aka.ms/o0ukef>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

David Lang

2018-10-24 03:51:27 UTC

Permalink

can you provide us with your full config and a sample of the log that's written?

I don't understand what's happening based on your post.

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Avihu Hagag via rsyslog

2018-10-24 04:10:58 UTC

Permalink

Thank you for your reply.

I attached the rsyslog conf file, I don't have example for the "call trace" but I meant the one line(that I wrote below) each word in the line create different log for his own and the log that its creating is empty, the correct get the all output except for the problematic line.

Regards,

Avihu Hagag.

Work: +972-74-7237719
Cell: +972526391335

-----Original Message-----
From: David Lang <***@lang.hm>
Sent: Wednesday, October 24, 2018 06:51
To: Avihu Hagag via rsyslog <***@lists.adiscon.com>
Cc: Avihu Hagag <***@mellanox.com>
Subject: Re: [rsyslog] Rsyslog template

can you provide us with your full config and a sample of the log that's written?

I don't understand what's happening based on your post.

David Lang

David Lang

2018-10-24 04:31:34 UTC

Permalink

that sounds like the sending system is doing something odd that is making each
of these words look like a separate log message.

normally I would say that you should log the messages with the template
RSYSLOG_Debug_format so that you can see exactly what the message looks like as
it arrives. That still may be worth doing, but I would say that you should also
do a tcpdump of the inbound traffic to see what it looks like on the wire.

David Lang

On Wed, 24 Oct 2018, Avihu Hagag wrote:

> Date: Wed, 24 Oct 2018 04:10:58 +0000
> From: Avihu Hagag <***@mellanox.com>
> To: David Lang <***@lang.hm>,
> Avihu Hagag via rsyslog <***@lists.adiscon.com>
> Subject: RE: [rsyslog] Rsyslog template
>
> Thank you for your reply.
>
> I attached the rsyslog conf file, I don't have example for the "call trace" but I meant the one line(that I wrote below) each word in the line create different log for his own and the log that its creating is empty, the correct get the all output except for the problematic line.
>
> Regards,
>
> Avihu Hagag.
>
> Work: +972-74-7237719
> Cell: +972526391335
>
>
> -----Original Message-----
> From: David Lang <***@lang.hm>
> Sent: Wednesday, October 24, 2018 06:51
> To: Avihu Hagag via rsyslog <***@lists.adiscon.com>
> Cc: Avihu Hagag <***@mellanox.com>
> Subject: Re: [rsyslog] Rsyslog template
>
> can you provide us with your full config and a sample of the log that's written?
>
> I don't understand what's happening based on your post.
>
> David Lang
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Avihu Hagag via rsyslog

2018-10-24 05:04:56 UTC

Permalink

On the regular template this line going to the right file, only when I’m customizing template this happens

Get Outlook for iOS<https://aka.ms/o0ukef>

________________________________
From: David Lang <***@lang.hm>
Sent: Wednesday, October 24, 2018 7:31 AM
To: Avihu Hagag
Cc: David Lang; Avihu Hagag via rsyslog
Subject: RE: [rsyslog] Rsyslog template

that sounds like the sending system is doing something odd that is making each
of these words look like a separate log message.

normally I would say that you should log the messages with the template
RSYSLOG_Debug_format so that you can see exactly what the message looks like as
it arrives. That still may be worth doing, but I would say that you should also
do a tcpdump of the inbound traffic to see what it looks like on the wire.

David Lang

On Wed, 24 Oct 2018, Avihu Hagag wrote:

> Date: Wed, 24 Oct 2018 04:10:58 +0000
> From: Avihu Hagag <***@mellanox.com>
> To: David Lang <***@lang.hm>,
> Avihu Hagag via rsyslog <***@lists.adiscon.com>
> Subject: RE: [rsyslog] Rsyslog template
>
> Thank you for your reply.
>
> I attached the rsyslog conf file, I don't have example for the "call trace" but I meant the one line(that I wrote below) each word in the line create different log for his own and the log that its creating is empty, the correct get the all output except for the problematic line.
>
> Regards,
>
> Avihu Hagag.
>
> Work: +972-74-7237719
> Cell: +972526391335
>
>
> -----Original Message-----
> From: David Lang <***@lang.hm>
> Sent: Wednesday, October 24, 2018 06:51
> To: Avihu Hagag via rsyslog <***@lists.adiscon.com>
> Cc: Avihu Hagag <***@mellanox.com>
> Subject: Re: [rsyslog] Rsyslog template
>
> can you provide us with your full config and a sample of the log that's written?
>
> I don't understand what's happening based on your post.
>
> David Lang
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.