Extra characters at beginning of line
Hi Everyone, I'm running into an issue where syslog-ng is adding extra characters to beginning of every line. Specifically, "<134>" is getting inserted right before the time stamp: <134>Jan 7 13:06:17 host1 kernel: device eth0 entered promiscuous mode This syslog-ng server is sending traffic to a remote Splunk instance (using TCP, not UDP), at first I though it was Splunk adding the characters but when I did a tcpdump on syslog-ng's outbound connection I found that they where already present. In addition to sending this traffic to Splunk the syslog-ng instance also log's local to a file. The <134> doesn't show up in the local file. Anyone have any ideas where this is coming from ? Thanks! Florian
"<134>" is the encoding of the facility severity as per RFC 3164 http://www.ietf.org/rfc/rfc3164.txt (section 4.1.1). Hopefully someone else on the list can point out why its appearing in your log messages. Can you post your syslog-ng version (syslog-ng -V) and relevant parts of your syslog-ng.conf file.
Florian Hines <lists@syn-recon.net> 01/08/09 8:59 AM >>> Hi Everyone,
I'm running into an issue where syslog-ng is adding extra characters to beginning of every line. Specifically, "<134>" is getting inserted right before the time stamp: <134>Jan 7 13:06:17 host1 kernel: device eth0 entered promiscuous mode This syslog-ng server is sending traffic to a remote Splunk instance (using TCP, not UDP), at first I though it was Splunk adding the characters but when I did a tcpdump on syslog-ng's outbound connection I found that they where already present. In addition to sending this traffic to Splunk the syslog-ng instance also log's local to a file. The <134> doesn't show up in the local file. Anyone have any ideas where this is coming from ? Thanks! Florian ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
chris packham wrote:
"<134>" is the encoding of the facility severity as per RFC 3164 http://www.ietf.org/rfc/rfc3164.txt (section 4.1.1).
Hopefully someone else on the list can point out why its appearing in your log messages. Can you post your syslog-ng version (syslog-ng -V) and relevant parts of your syslog-ng.conf file.
Ahh, in that case my problem is with Splunk (its not stripping or using the facility and just using the whole line as raw input for indexing). Thanks for the help! Florian
participants (2)
-
chris packham
-
Florian Hines