I'm using the rsyslog-relp plugin and can't figure out why the log messages are not parsing properly. I have a DNS filter that works for all our other systems, but I never see the DNS tag show up for the messages forwarded by relp. Systems not using relp show the FQDN as the host value, and only the message in the message field. The system I'm testing relp on shows the host value as IP:port, and the message value appears unparsed.
Example (relp message and host values):
host: 10.10.10.11:12345
message: <86>2018-02-02T10:00:35.659601-05:00 testserver.mydomain.com sshd[24900]: Received disconnect from 10.10.10.10 port 50111:11: disconnected by user
Example (non-relp message and host values):
Host: testserver2.mydomain.com
Message: Received disconnect from 10.10.10.10 port 50111:11: disconnected by user
The system we're testing relp on reports fine using standard rsyslog and the host name is correct in the search results. So I'm unsure if this is an issue with relp, or some parsing in logserver. I'm not very well versed how these messages get parsed in logserver for display and could use some guidance to correct this issue and to learn the normal steps to troubleshoot a behavior like this.
rsyslog-relp message parsing
Re: rsyslog-relp message parsing
The syslog input requires RFC3164 formatting to parse the message properly. Grok filters can be used to parse the messages in cases where the rfc isn't followed:
https://assets.nagios.com/downloads/nag ... ilters.pdf
https://support.nagios.com/kb/article/n ... ew-98.html
http://grokdebug.herokuapp.com/
https://assets.nagios.com/downloads/nag ... ilters.pdf
https://support.nagios.com/kb/article/n ... ew-98.html
http://grokdebug.herokuapp.com/
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.