Another non-standard syslog format (Dell N2048 switches)
140 views
Skip to first unread message
Tim
Feb 8, 2017, 6:57:07 PM2/8/17
to Fluentd Google Group
Hello,
I am enjoying my introduction to fluentd and td-agent.
Today I began to push syslog data from Dell N2048 networking gear into td-agent.
Unfortunately, the syslog entries from the Dell equipment seem to put one unit of whitespace between the <pri> and the timestamp, which fluentd seems to not like. Could it really be that the only way around this is to write an entire regex to parse this syslog format?
Here is the output from td-agent:
2017-02-08 22:26:19 +0000 [error]: "<189> Feb 9 06:26:00 switch8054-1 TRAPMGR[dot1s_task]: traputil.c(777) 796225 %% Spanning Tree Topology Change Received: MSTID: 0 Te1/0/1 \x00" error="invalid time format: value = Feb , error_class = ArgumentError, error = invalid strptime format - `%b %e %H:%M:%S'"
I have tried a number of ways to cope with this by changing time_format in td-agent.conf but no combination seems to work. I tried:
time_format %b %e %H:%M:%S
time_format ' %b %d %H:%M:%S'
time_format %4b %e %H:%M:%S
...etc., all using format suggestions from http://ruby-doc.org/stdlib-1.9.3/libdoc/date/rdoc/DateTime.html#method-c-strptime
I also tried to use the 'newsyslog' package, but installing all of its many required packages would have needed me to upgrade the server to ruby 2.1 and I lost steam on that.
Any tips? I'd rather not just pass the messages in raw.
Thanks,
Tim
I am enjoying my introduction to fluentd and td-agent.
Today I began to push syslog data from Dell N2048 networking gear into td-agent.
Unfortunately, the syslog entries from the Dell equipment seem to put one unit of whitespace between the <pri> and the timestamp, which fluentd seems to not like. Could it really be that the only way around this is to write an entire regex to parse this syslog format?
Here is the output from td-agent:
2017-02-08 22:26:19 +0000 [error]: "<189> Feb 9 06:26:00 switch8054-1 TRAPMGR[dot1s_task]: traputil.c(777) 796225 %% Spanning Tree Topology Change Received: MSTID: 0 Te1/0/1 \x00" error="invalid time format: value = Feb , error_class = ArgumentError, error = invalid strptime format - `%b %e %H:%M:%S'"
I have tried a number of ways to cope with this by changing time_format in td-agent.conf but no combination seems to work. I tried:
time_format %b %e %H:%M:%S
time_format ' %b %d %H:%M:%S'
time_format %4b %e %H:%M:%S
...etc., all using format suggestions from http://ruby-doc.org/stdlib-1.9.3/libdoc/date/rdoc/DateTime.html#method-c-strptime
I also tried to use the 'newsyslog' package, but installing all of its many required packages would have needed me to upgrade the server to ruby 2.1 and I lost steam on that.
Any tips? I'd rather not just pass the messages in raw.
Thanks,
Tim
Tim
Feb 8, 2017, 7:52:16 PM2/8/17
to Fluentd Google Group
I'll mention that I did some experimentation in irb:
irb(main):042:0> Date._strptime(' Feb 9 04:24:54', "%h %e %H:%M:%S")
=> nil
irb(main):043:0> Date._strptime(' Feb 9 04:24:54', " %h %e %H:%M:%S")
=> {:mon=>2, :mday=>9, :hour=>4, :min=>24, :sec=>54}
irb(main):042:0> Date._strptime(' Feb 9 04:24:54', "%h %e %H:%M:%S")
=> nil
irb(main):043:0> Date._strptime(' Feb 9 04:24:54', " %h %e %H:%M:%S")
=> {:mon=>2, :mday=>9, :hour=>4, :min=>24, :sec=>54}
Tim Johnson
Feb 8, 2017, 7:59:22 PM2/8/17
to flu...@googlegroups.com
And, sorry, I realize my original post is incorrect about upgrading to use newsyslog. I should use td-agent-gem.
Tim
Tim
Tim Johnson
Feb 9, 2017, 3:23:25 PM2/9/17
to flu...@googlegroups.com
OK, I got it working. The regex listed in the in_udp documentation helped here.
<source>
@type syslog
format /^ (?<time>[^ ]*\s*[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$/
port 5141
tag dell
Thanks,
Tim
> --
> You received this message because you are subscribed to a topic in the Google Groups "Fluentd Google Group" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/fluentd/EaBQugXD-Ww/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to fluentd+u...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
<source>
@type syslog
format /^ (?<time>[^ ]*\s*[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$/
port 5141
tag dell
time_format %b %e %H:%M:%S
</source>
Thanks,
Tim
> You received this message because you are subscribed to a topic in the Google Groups "Fluentd Google Group" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/fluentd/EaBQugXD-Ww/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to fluentd+u...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages