0

We have a curious issue where all logs in /var/log/ lack a trailing new-lines at the end of their messages, and instead contain an n, but the entire file is one 'line':

Jun  4 10:18:54 host sshd[12468]: Accepted publickey for username from xx.xx.xx.xxx port xxxx ssh2nJun  4 10:18:54 host sshd[12468]: pam_unix(sshd:session): session opened for user username by (uid=0)nJun  4 10:19:25 host sudo: username : TTY=pts/0 ; PWD=/home/username ; USER=root ; COMMAND=/bin/bashn

Super bizarre. I looked everywhere, and the only complaints about a "lack of newlines" I can find on the internet refer to the messages themselves not being multi-line (lack on newlines in the message body). However I can not find anything on a lack of trailing newlines, or on modifying/confirming the format of the messages.

Mike
  • 175
  • 1
  • 10

1 Answers1

1

Cause: One of our sysadmins had modified the RSyslog template, and omitted the \ before the n at the end of the template.

The RSyslog configuration file, located at /etc/rsyslog.conf allows to specify templates for the Messages:

# Use default timestamp format
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template CustomFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
$ActionFileDefaultTemplate CustomFormat

Well, the admin had omitted the \ for the newline, resulting in:

$template CustomFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%n"

No dice.

To summarize, if you have odd format issues in any logs handled by RSyslog, check the Template configurations for RSyslog, starting in /etc/rsyslog.conf

Mike
  • 175
  • 1
  • 10