-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
syslog receiver Error expecting a Stamp timestamp [col 5] #33344
Comments
Pinging code owners for receiver/syslog: @djaglowski @andrzej-stencel. See Adding Labels via Comments if you do not have permissions to add labels yourself. |
Can you please share with us an example log which is failing to parse? |
Hi, |
This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping Pinging code owners:
See Adding Labels via Comments if you do not have permissions to add labels yourself. |
@djaglowski Hi, I'm facing the same issue when receiving syslog from network devices. Here is an example log which is failing to parse, Hex + ASCII dump:
The error report from otel-collector are as follows:
And here is my configuration: receivers:
syslog:
udp:
listen_address: "0.0.0.0:514"
add_attributes: true
one_log_per_packet: true
protocol: rfc3164
location: Asia/Shanghai |
After reading RFC 3164, I found that the issue occurs because HUAWEI does not follow the TIMESTAMP field format as defined in the RFC. According to RFC 3164, the TIMESTAMP field should be in the format HUAWEI defines multiple timestamp formats: Given that many software and hardware manufacturers do not strictly adhere to specifications, this type of error is quite common. It may be helpful to mention in the documentation that users should verify whether the original format strictly complies with the RFC before opening an issue. |
Thanks for reporting the example and figuring out the cause @bowling233. I agree there are many instances where slight variations of the syslog protocol cause problems. In principle I am supportive of being more flexible but it is easier said than done. I think the documentation is clear about which protocols it supports but perhaps adding an additional note as you suggested would be helpful. |
This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping Pinging code owners:
See Adding Labels via Comments if you do not have permissions to add labels yourself. |
@djaglowski Could we enhance the error message for unparsed syslog messages by including the source IP address? Currently, the error message provides very limited information, making it difficult to determine where the problematic message originates. I recently encountered this issue again, and in environments with a large number of devices, manually inspecting each one is impractical. Additionally, in busy networks, performing packet capture may not be feasible. Including the source IP would greatly simplify troubleshooting and improve the ability to identify misconfigured or incompatible devices. |
That makes sense to me. |
Describe the bug
When using the syslog receiver, an error occurs while processing log entries. The error message is "expecting a Stamp timestamp [col 5]".
Steps to reproduce
Configure the syslog receiver in the configuration file.
Send logs via syslog.
Check the logs for the error.
What did you expect to see?
I expected the logs to be processed without errors.
What did you see instead?
I saw the following error:
What version did you use?
What config did you use?
Environment
Openshift
The text was updated successfully, but these errors were encountered: