[prev in list] [next in list] [prev in thread] [next in thread]
List: syslog-ng
Subject: Re: [syslog-ng] rsyslog client produces "Error processing log message"
From: Balazs Scheidler <bazsi77 () gmail ! com>
Date: 2012-11-08 19:55:52
Message-ID: 1352404552.24568.5.camel () Nokia-N900-51-1
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
----- Original message -----
> Andreas Heinlein <aheinlein@gmx.com> writes:
>
> > we have a centralised log server running syslog-ng 3.1 OSE on Debian
> > 6.0. On the client side, we were using syslog-ng but now I'd like to
> > use rsyslog instead (for several reasons).
>
> Independently of the issue below, I'd love to hear the reasons (either
> on-list, or in private).
>
> > Transport should be TLS-encrypted TCP. I have set up a connection
> > between the two, but apparently syslog-ng fails to parse the log
> > messages sent by rsyslog. Every log line goes like this:
> >
> > Nov 6 11:15:31 admin2-desktop syslog-ng[1578]: Error processing log
> > message: <13>Nov 6 11:15:31 admin2-desktop ah: Test4
> >
> > Does anyone have an idea what to configure with either rsyslog or
> > syslog-ng so the two understand each other?
> >
> > Relevant server side config:
> > source s_all { syslog(ip(172.16.x.x) port(6514) max_connections(50)
> > tls(
> ^^^^^^
>
> This is the issue. You're telling syslog-ng to expect the new syslog
> protocol, but later in the rsyslog.conf, you don't seem to be telling it
> to send that version, so it will use the legacy BSD format instead.
>
> You have two options: either use tcp() on the syslog-ng side, or ask
> rsyslog to forward messages according to the new syslog protocol
> (however it may call it, it's RFC5424 by the way, while RFC3164 is the
> legacy BSD format).
I have updated the syslog() driver to automatically detect the rfc3164 format. but \
this happened in 3.3 or 3.4, can't remember which.
[Attachment #5 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" \
"http://www.w3.org/TR/html4/loose.dtd"> <html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="generator" content="Osso Notes">
<title></title></head>
<body>
<p>----- Original message -----
<br>> Andreas Heinlein <<a \
href="mailto:aheinlein@gmx.com">aheinlein@gmx.com</a>> writes: <br>>
<br>> > we have a centralised log server running syslog-ng 3.1 OSE on Debian
<br>> > 6.0. On the client side, we were using syslog-ng but now I'd like to
<br>> > use  rsyslog instead (for several reasons).
<br>>
<br>> Independently of the issue below, I'd love to hear the reasons (either
<br>> on-list, or in private).
<br>>
<br>> > Transport should be TLS-encrypted TCP. I have set up a connection
<br>> > between the two, but apparently syslog-ng fails to parse the log
<br>> > messages sent by rsyslog. Every log line goes like this:
<br>> >
<br>> > Nov  6 11:15:31 admin2-desktop syslog-ng[1578]: Error \
processing log <br>> > message: <13>Nov  6 11:15:31 \
admin2-desktop ah: Test4 <br>> >
<br>> > Does anyone have an idea what to configure with either rsyslog or
<br>> > syslog-ng so the two understand each other?
<br>> >
<br>> > Relevant server side config:
<br>> > source s_all { syslog(ip(172.16.x.x) port(6514) max_connections(50)
<br>> > tls(
<br>> \
 ^^^^^^ <br>>
<br>> This is the issue. You're telling syslog-ng to expect the new syslog
<br>> protocol, but later in the rsyslog.conf, you don't seem to be telling it
<br>> to send that version, so it will use the legacy BSD format instead.
<br>>
<br>> You have two options: either use tcp() on the syslog-ng side, or ask
<br>> rsyslog to forward messages according to the new syslog protocol
<br>> (however it may call it, it's RFC5424 by the way, while RFC3164 is the
<br>> legacy BSD format).
<br>
<br>I have updated the syslog() driver to automatically detect the rfc3164 format. \
but this happened in 3.3 or 3.4, can't remember which.</p> </body>
</html>
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic