Request trial
Request Trial

Syslog facility lost while sending long messages

Tags:
#1 antiBILLotic

I'n using nxlog to send logs from Windows Event Log to rsyslogd.

To identify my Windows hosts, i use local6 facility. So they are logged to a separate folder based on IP and facility: local6 messages are logged to /var/log/hosts/windows/SERVER_IP/remote.log, all other facilities (non-local6) are logged to /var/hosts/linux/SERVER_IP/remote.log

The thing is, i sometimes find new messages in /var/log/hosts/linux/WINSERVER_IP/remote.log, which are (mostly) a part of other windows Event Log messages. Looks like big messages from Event Log are split into fragments, the first one gets the local6 facility (via SyslogFacilityValue) and is logged to windows-log folder (correct behavior), the rest get another facility value (which is unknown for me) and are logged to linux-log folder (incorrect behavior).

My nxlog config (part of it):

<Extension syslog>

                Module xm_syslog

</Extension>

<Input in>

    Module      im_msvistalog

                Exec $SyslogFacilityValue = 22;

</Input>

 

<Processor eventlog_transformer>

                Module pm_transformer

                Exec $Hostname = hostname();

                OutputFormat syslog_rfc5424

</Processor>

 

<Output out>

    Module      om_tcp

    Host        10.7.1.20

    Port        514

                Exec $raw_event = replace($raw_event, "\r\n", " ");

                Exec $raw_event = replace($raw_event, "\t", " ");

</Output>

 

<Route 1>

    Path        in => eventlog_transformer => out

</Route>

Is there a way to strictly specify local6 facility to all outgoing syslog-type messages and their parts, if they get split?

 

Permalink
#2 adm Nxlog ✓
#1 antiBILLotic
I'n using nxlog to send logs from Windows Event Log to rsyslogd. To identify my Windows hosts, i use local6 facility. So they are logged to a separate folder based on IP and facility: local6 messages are logged to /var/log/hosts/windows/SERVER_IP/remote.log, all other facilities (non-local6) are logged to /var/hosts/linux/SERVER_IP/remote.log The thing is, i sometimes find new messages in /var/log/hosts/linux/WINSERVER_IP/remote.log, which are (mostly) a part of other windows Event Log messages. Looks like big messages from Event Log are split into fragments, the first one gets the local6 facility (via SyslogFacilityValue) and is logged to windows-log folder (correct behavior), the rest get another facility value (which is unknown for me) and are logged to linux-log folder (incorrect behavior). My nxlog config (part of it): <Extension syslog>                 Module xm_syslog </Extension> <Input in>     Module      im_msvistalog                 Exec $SyslogFacilityValue = 22; </Input>   <Processor eventlog_transformer>                 Module pm_transformer                 Exec $Hostname = hostname();                 OutputFormat syslog_rfc5424 </Processor>   <Output out>     Module      om_tcp     Host        10.7.1.20     Port        514                 Exec $raw_event = replace($raw_event, "\r\n", " ");                 Exec $raw_event = replace($raw_event, "\t", " "); </Output>   <Route 1>     Path        in => eventlog_transformer => out </Route> Is there a way to strictly specify local6 facility to all outgoing syslog-type messages and their parts, if they get split?  

Only newlines (i.e. \r\n or \n) can cause a message to be "split" into two or more when using tcp transport.

The rfc5424 (ietf) syslog format in nxlog replaces \r and \n with space. You are also doing the same with replace().

This sounds like an rsyslog issue.
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS