I’m trying to debug an issue where some messages have the field facility set correctly while others fail to set a correct facility.
Example of correctly parsed facility
Parsed facility: security/authorization
Parsed facility_num: 10
Full message from syslog host:
<86>1 2021-09-22T16:11:34.578583+02:00 mylogclient sudo - - - pam_unix(sudo:session): session closed for user root
Example of incorrectly parsed facility
Parsed facility: type=USER_END msg=audit(1632319894.575
Parsed facility_num: 1
Full message from syslog host:
<14>1 2021-09-22T16:11:34.579213+02:00 mylogclient audispd - - - node=mylogclient type=USER_END msg=audit(1632319894.575:2457): pid=26515 uid=0 auid=1000 ses=60 subj==unconfined msg='op=PAM:session_close grantors=pam_permit,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
How do I proceed debugging this issue?
Environmental information
All messages in this example are coming from the same host which is running Debian 10 with rsyslogd 8.1901.0 (aka 2019.01) using the following configuration:
$PreserveFQDN on # fixes FDQN issue
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName remote # unique name prefix for spool files
$ActionQueueMaxFileSize 50m
$ActionQueueMaxDiskSpace 512m # 512M space limit (use as much as possible)
$ActionResumeRetryCount -1 # infinite retries if host is down
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueTimeoutEnqueue 0 # Drop messages with no wait when they can’t be queued
*.* @@mylogserver;RSYSLOG_SyslogProtocol23Format
Package versions
The graylog server is running Debian 11.
- Graylog 4.1.5-1 (installed from graylog repository)
- MongoDB 4.4.9 (installed from mongodb repository)
- Elasticsearch 7.15.0 (installed from elasticsearch repository)