joschi
commented
8 years ago @jeff42 Thanks for bringing this up! Could you please provide one or two more Syslog messages from the VMWare product to verify against?
Open jeff42 opened 8 years ago
joschi
commented
8 years ago @jeff42 Thanks for bringing this up! Could you please provide one or two more Syslog messages from the VMWare product to verify against?
jeff42
commented
8 years ago @joschi VMware is just an example, I'll fetch some more. My suggesstion is more general. if you read RFC5424 (https://tools.ietf.org/html/rfc5424#section-6) you will find this
HEADER = PRI VERSION SP TIMESTAMP SP HOSTNAME
SP APP-NAME SP PROCID SP MSGID
PRI = "<" PRIVAL ">"
PRIVAL = 1*3DIGIT ; range 0 .. 191
VERSION = NONZERO-DIGIT 0*2DIGITwhich means a RFC5424-Syslog message must start with the Priority followed by the version and a space character. VERSION must be a number with one to three digits and must not start with zero. adjusting the static pattern to detect RFC5425 conform messages would automaticly stop applying wrong filters to vmware messages.
Examples:
<166>2016-01-29T16:37:46.644Z srv01esx27.corp.local Hostd: --> }
<166>2016-01-29T16:33:30.567Z srv01esx24.corp.local Hostd: --> "992"
<166>2016-01-29T15:49:19.934Z srv01esx29.corp.local Vpxa: [6269EB70 verbose 'VpxaHalCnxHostagent' opID=WFU-bea1521f] [WaitForUpdatesDone] Received callback
<166>2016-01-29T15:49:19.934Z srv01esx29.corp.local Vpxa: [6269EB70 verbose 'VpxaHalCnxHostagent' opID=WFU-bea1521f] [WaitForUpdatesDone] Received callback
<166>2016-01-29T15:49:19.926Z srv01esx29.corp.local Vpxa: [6269EB70 verbose 'VpxaHalCnxHostagent' opID=WFU-c04d02e0] [VpxaHalCnxHostagent::ProcessUpdate] Applying updates from 7313825 to 7313826 (at 7313825)Best Regards, Jörg
Hi, the logs from vmware are incorrectly detected as RFC5425. vmvware is sending messages like this:
<166>**2**016-01-29T15:20:31.960Z srv01esx70 Vpxa: [FF8DFB70 verbose 'VpxaHalCnxHostagent' opID=WFU-ba76b75e] [WaitForUpdatesDone] Completed callback due to the digit immediatly after the