[syslog-ng] rsyslog client produces "Error processing log message"

Andreas Heinlein aheinlein at gmx.com
Wed Nov 7 09:04:34 CET 2012 

Gergely Nagy <algernon <at> balabit.hu> writes:

> 
> Andreas Heinlein <aheinlein <at> gmx.com> writes:
> 
> > we have a centralised log server running syslog-ng 3.1 OSE on Debian 
> > 6.0. On the client side, we were using syslog-ng but now I'd like to use 
> > rsyslog instead (for several reasons).
> 
> Independently of the issue below, I'd love to hear the reasons (either
> on-list, or in private).

The main reason is that syslog-ng randomly goes to 100% CPU on the clients
(Ubuntu 12.04, previously we used 10.04 and syslog-ng which worked just fine),
and I've been trying for several days now to figure out why. So I've decided to
try and switch to rsyslog.

> > Transport should be TLS-encrypted TCP. I have set up a connection
> > between the two, but apparently syslog-ng fails to parse the log
> > messages sent by rsyslog. Every log line goes like this:
> >
> > Nov  6 11:15:31 admin2-desktop syslog-ng[1578]: Error processing log 
> > message: <13>Nov  6 11:15:31 admin2-desktop ah: Test4
> >
> > Does anyone have an idea what to configure with either rsyslog or 
> > syslog-ng so the two understand each other?
> >
> > Relevant server side config:
> > source s_all { syslog(ip(172.16.x.x) port(6514) max_connections(50) tls( 
>                  ^^^^^^
> 
> This is the issue. You're telling syslog-ng to expect the new syslog
> protocol, but later in the rsyslog.conf, you don't seem to be telling it
> to send that version, so it will use the legacy BSD format instead.
> 
> You have two options: either use tcp() on the syslog-ng side, or ask
> rsyslog to forward messages according to the new syslog protocol
> (however it may call it, it's RFC5424 by the way, while RFC3164 is the
> legacy BSD format).

I suspected that, but I can't figure out what to configure in rsyslog.conf then.
I thought that it would use the new RFC5424 when *not* using
RSYSLOG_TraditionalForwardFormat, but maybe it doesn't. I should probably ask on
the rsyslog mailing list then. The other way round would break existing
syslog-ng clients, that is no option.

Thanks for your effort!

Andreas

More information about the syslog-ng mailing list