Jump to content

logging to syslog (again)


Recommended Posts

Posted

Hi all,

I'd love to be able to log programs to remote syslog.  I've come across several posts by member here Xathros, but I haven't been able to replicate this..   For example, https://forum.universal-devices.com/topic/16861-isy-log-on-ios-or-web/.

 

I see the syslog packets being received at the remote server, but syslog (rsyslogd to be more precise) seems to just ignore these messages, even though tcpdump identifies them as syslog content.

Here's a verbose example of what tcpdump sees:

 

Quote

02:05:03.873665 IP (tos 0x0, ttl 2, id 41580, offset 0, flags [none], proto UDP (17), length 93)
    192.168.0.12.514 > 192.168.3.109.514: [udp sum ok] [|syslog]
        0x0000:  4500 005d a26c 0000 0211 915a c0a8 000c  E..].l.....Z....
        0x0010:  c0a8 036d 0202 0202 0049 5e23 3230 3138  ...m.....I^#2018
        0x0020:  2f31 312f 3035 2030 323a 3035 3a30 3520  /11/05.02:05:05.
        0x0030:  3139 322e 3136 382e 302e 3132 203c 3132  192.168.0.12.<12
        0x0040:  3e20 6973 796c 6f67 6765 7220 2d20 4953  >.isylogger.-.IS
        0x0050:  5920 4d41 524b 202d 2054 4553 54         Y.MARK.-.TEST


 

and an excerpt from my rsyslog.conf file:

 

if $rawmsg contains "ISY" then /var/log/isy.log

and here's how my network resource is defined.

Protocol: udp

Host: 192.168.3.109 (syslog server)

Port: 514

Timeout: 1000 ms

Mode: Raw Text

Body: ${sys.date} ${sys.time} 192.168.0.12 <12> isylogger - ISY MARK - TEST

425478595_Screenshot2018-11-05at03_17_26.thumb.png.208475dad0297bb77f38c7ef1fefbb82.png

 

I'm probably missing something obvious.  I did catch in one of Xathros' posts that he removed a date/time stamp and IP address from his examples, so I probably just have that wrong.

 

Tips greatly appreciated!

 

cheers,

 

Joel

  • 2 months later...
Posted

Joel,

No sure is this is to late...

But I had same issue, but then it turned out I was missing LF (\n) in the end of the message.

Try to hit ENTER after you message ending with TEST

Thanks,

/Roger

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...