[syslog-ng] vCenter 6.5 RFC5425 prefacing messages with a space
Scheidler, Balázs
balazs.scheidler at balabit.com
Sun Feb 18 13:11:28 UTC 2018
The rfc says a single space separates values, so syslog-ng behavior seems
to be correct.
You can always chop a space off as a rewrite rule. And with the recent
application adapters framework, you can also submit this quirk into
syslog-ng, so it is able to fix this behavior out of the box.
On Feb 17, 2018 17:29, "Evan Rempel" <erempel at uvic.ca> wrote:
> Our VMWare team has been busy upgrading out infrastructure to 6.5 which is
> great, but the syslogs started showing up as
>
>
> 2018-02-17T07:00:12 esx.host.name auth.info 1 2018-02-17T07:00:12.
> 162028-08:00 esx.host.name sshd 4662 - - Did not receive identification
> string from 142.104.139.163 port 51088
>
> which I recognise as RFC5425, So I added the flags(syslog-protocol) to my
> network source definition. Now the log message arrives much nicer as
>
>
> 2018-02-17T07:48:12 esx.host.name auth.info sshd[20835]: Did not receive
> identification string from 142.104.139.163 port 42060
>
> but if you look very closely you will notice that there are 2 spaces in
> "sshd[20835]: Did" and in the original logged message there were 2 spaces
> preceding the word "Did".
>
> Has anyone seen this before (or currently with your own VMWare 6.5). I'm
> trying to figure out if this is a bug in syslog-ng or a bug in vCenter 6.5
> or a config error on my systems.
>
> Thanks,
>
>
> Evan.
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=
> syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180218/3107df08/attachment.html>
More information about the syslog-ng
mailing list