Testing structured data syslog messages
Hello list, I am currently trying to test structured data log messages with syslog-ng. I'm running syslog-ng-3.1.2-1.rhel5. Setup is very simple, with a udp source and a destination to /var/log/messages. Here's the line i'm trying to use to test with, which according to the RFC, should be fine: echo -n '<165>1 2011-02-03T22:14:15.003Z superhostomg process - ID47 [exampleSDID@32473 iut="9" eventSource="rawr" eventID="69"] Message portion. Test log with structured data.' | nc -w 1 -u localhost 514 Unfortunately it is showing up in logs as this: 2011-02-03T22:45:30+00:00 localhost 1 2011-02-03T22:14:15.003Z superhostomg process - ID47 [exampleSDID@32473 iut="9" eventSource="rawr" eventID="69"] Message portion. Test log with structured data. So all of the metadata is being printed to $MSG. What am I doing wrong? Thanks,
What is the $PROGRAM name? I think you're probably missing a colon after whatever is supposed to be the program. On Thu, Feb 3, 2011 at 7:11 PM, Lance Laursen <lance@demonware.net> wrote:
Hello list, I am currently trying to test structured data log messages with syslog-ng. I'm running syslog-ng-3.1.2-1.rhel5. Setup is very simple, with a udp source and a destination to /var/log/messages. Here's the line i'm trying to use to test with, which according to the RFC, should be fine: echo -n '<165>1 2011-02-03T22:14:15.003Z superhostomg process - ID47 [exampleSDID@32473 iut="9" eventSource="rawr" eventID="69"] Message portion. Test log with structured data.' | nc -w 1 -u localhost 514 Unfortunately it is showing up in logs as this: 2011-02-03T22:45:30+00:00 localhost 1 2011-02-03T22:14:15.003Z superhostomg process - ID47 [exampleSDID@32473 iut="9" eventSource="rawr" eventID="69"] Message portion. Test log with structured data. So all of the metadata is being printed to $MSG. What am I doing wrong? Thanks, ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Thu, Feb 03, 2011 at 05:11:08PM -0800, Lance Laursen wrote:
Unfortunately it is showing up in logs as this:
2011-02-03T22:45:30+00:00 localhost 1 2011-02-03T22:14:15.003Z superhostomg process - ID47 [exampleSDID@32473 iut="9" eventSource="rawr" eventID="69"] Message portion. Test log with structured data.
So all of the metadata is being printed to $MSG. What am I doing wrong?
Depending on syslog-ng version you probably need this flag: syslog-protocol http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid... Regards, Matthew.
Hey Matthew, That was it, thanks! For people reading this after the fact, I am running syslog-ng-3.1.2-1.rhel5. Using one of the following to sources will work with rfc5424: source s_udp { syslog( ip(0.0.0.0) port(514) transport(udp)); }; source s_udp { udp(flags(syslog-protocol)); }; This one does not parse correctly: source s_udp { udp(); }; Regards, On Thu, Feb 3, 2011 at 6:34 PM, Matthew Hall <mhall@mhcomputing.net> wrote:
On Thu, Feb 03, 2011 at 05:11:08PM -0800, Lance Laursen wrote:
Unfortunately it is showing up in logs as this:
2011-02-03T22:45:30+00:00 localhost 1 2011-02-03T22:14:15.003Z superhostomg process - ID47 [exampleSDID@32473 iut="9" eventSource="rawr" eventID="69"] Message portion. Test log with structured data.
So all of the metadata is being printed to $MSG. What am I doing wrong?
Depending on syslog-ng version you probably need this flag:
syslog-protocol
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid...
Regards, Matthew.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Fri, 2011-02-04 at 11:55 -0800, Lance Laursen wrote:
Hey Matthew,
That was it, thanks!
For people reading this after the fact, I am running syslog-ng-3.1.2-1.rhel5. Using one of the following to sources will work with rfc5424: source s_udp { syslog( ip(0.0.0.0) port(514) transport(udp)); }; source s_udp { udp(flags(syslog-protocol)); };
This one does not parse correctly: source s_udp { udp(); };
yup, this is the legacy source. the preferred format is to use the syslog() driver, the flags() stuff is there for mere completeness. The reason is: TCP syslog-ng is able to use the old-style, framing-less protocol by using tcp(flags(syslog-protocol)), whereas syslog(transport(tcp)) uses framing too. udp(flags(syslog-protocol)) is the same as syslog(transport(udp)) -- Bazsi
participants (4)
-
Balazs Scheidler
-
Lance Laursen
-
Martin Holste
-
Matthew Hall