summaryrefslogtreecommitdiff
path: root/doc/pmlastmsg.html
blob: fd26dbd5e632848e4aaa6274cba8342a56cbf774 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head>
<meta http-equiv="Content-Language" content="en">
<title>parser module for &quot;last message repeated n times&quot; (pmlastmsg)</title>
</head>
<body>
<a href="rsyslog_conf_modules.html">rsyslog module reference</a>

<h1>parser module for &quot;last message repeated n times&quot; (pmlastmsg)</h1>
<p><b>Module Name:&nbsp;&nbsp;&nbsp; pmlastmsg</b></p>
<p><b>Module Type:&nbsp;&nbsp;&nbsp; parser module</b></p>
<p><b>Author: </b>Rainer Gerhards &lt;rgerhards@adiscon.com&gt;</p>
<p><b>Available Since</b>: 5.5.6</p>
<p><b>Description</b>:</p>
<p>Some syslogds are known to emit severily malformed messages with content
"last message repeated n times". These messages can mess up message reception, as
they lead to wrong interpretation with the standard RFC3164 parser. Rather than
trying to fix this issue in pmrfc3164, we have created a new parser module
specifically for these messages. The reason is that some processing overhead is
involved in processing these messages (they must be recognized) and we would
not like to place this toll on every user but only on those actually in need
of the feature. Note that the performance toll is not large -- but if you expect
a very high message rate with tenthousands of messages per second, you will notice
a difference.
<p>This module should be loaded first inside <a href="messageparser.html">rsyslog's
parser chain</a>. It processes all those messages that contain a PRI, then none or
some spaces and then the exact text (case-insensitive) "last message repeated n times"
where n must be an integer. All other messages are left untouched.

<p><b>Please note:</b> this parser module makes it possible that these messages
are properly detected. It does <b>not</b> drop them. If you intend to drop those
messages, you need to use the usual filter logic in combination with the discard
action. As a side-note, please keep on your mind that the sender discarded messages
when the "last message repeated n times" message is emited. You want to consider if
that really is what you intend to happen. If not, go change the sender.

<p><b>Configuration Directives</b>:</p>
<p>There do not currently exist any configuration directives for this module.
<p><b>Examples:</b></p>
<p>This example is the typical use case, where some systems emit malformed
"repeated msg" messages. Other than that, the default RFC5424 and RFC3164 parsers
should be used. Note that when a parser is specified, the default parser chain
is removed, so we need to specify all three parsers. We use this together with the
default ruleset.
</p>
<textarea rows="15" cols="80">$ModLoad pmlastmsg # this parser is NOT a built-in module

# note that parser are tried in the
# order they appear in rsyslog.conf, so put pmlastmsg first
$RulesetParser rsyslog.lastline
# as we have removed the default parser chain, we
# need to add the default parsers as well.
$RulesetParser rsyslog.rfc5424 
$RulesetParser rsyslog.rfc3164

# now come the typical rules, like...
*.* /path/to/file.log
</textarea>
<p><b>Caveats/Known Bugs:</b>
<p>currently none
<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>]
[<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
<p><font size="2">This documentation is part of the
<a href="http://www.rsyslog.com/">rsyslog</a>
project.<br>
Copyright &copy; 2010 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
<a href="http://www.adiscon.com/">Adiscon</a>.
Released under the GNU GPL version 3 or higher.</font></p>
</body></html>