rsyslog-relp message parsing
Posted: Fri Feb 02, 2018 10:18 am
I'm using the rsyslog-relp plugin and can't figure out why the log messages are not parsing properly. I have a DNS filter that works for all our other systems, but I never see the DNS tag show up for the messages forwarded by relp. Systems not using relp show the FQDN as the host value, and only the message in the message field. The system I'm testing relp on shows the host value as IP:port, and the message value appears unparsed.
Example (relp message and host values):
host: 10.10.10.11:12345
message: <86>2018-02-02T10:00:35.659601-05:00 testserver.mydomain.com sshd[24900]: Received disconnect from 10.10.10.10 port 50111:11: disconnected by user
Example (non-relp message and host values):
Host: testserver2.mydomain.com
Message: Received disconnect from 10.10.10.10 port 50111:11: disconnected by user
The system we're testing relp on reports fine using standard rsyslog and the host name is correct in the search results. So I'm unsure if this is an issue with relp, or some parsing in logserver. I'm not very well versed how these messages get parsed in logserver for display and could use some guidance to correct this issue and to learn the normal steps to troubleshoot a behavior like this.
Example (relp message and host values):
host: 10.10.10.11:12345
message: <86>2018-02-02T10:00:35.659601-05:00 testserver.mydomain.com sshd[24900]: Received disconnect from 10.10.10.10 port 50111:11: disconnected by user
Example (non-relp message and host values):
Host: testserver2.mydomain.com
Message: Received disconnect from 10.10.10.10 port 50111:11: disconnected by user
The system we're testing relp on reports fine using standard rsyslog and the host name is correct in the search results. So I'm unsure if this is an issue with relp, or some parsing in logserver. I'm not very well versed how these messages get parsed in logserver for display and could use some guidance to correct this issue and to learn the normal steps to troubleshoot a behavior like this.