0

My Docker syslog tags are being truncated at what seems to be 32 characters. When I look at RFC 5424 I am not sure which field it is. Anyone know? I am trying to verify the allowed length the tag can be.

Apr 19 06:43:05 ord-nodecore-prd-01 docker/core_sql_event_processor_ha[1207]: 2016-04-19T06:43:05.265Z [sqlEventHandler] Event '3c5e1a15-f8a1-4bfa-b2fa-2e54b2a5fbaa' resulted in 0 relevant application events

Becomes:

<30>Apr 19 06:43:05 ord-nodecore-prd-01 docker/core_sql_event_processor_ 2016-04-19T06:43:05.265Z [sqlEventHandler] Event '3c5e1a15-f8a1-4bfa-b2fa-2e54b2a5fbaa' resulted in 0 relevant application events

Note the tag, docker/core_sql_event_processor_ha[1207]:

Here is the RFC link: https://www.rfc-editor.org/rfc/rfc5424#page-9

I am thinking it is the 'SD-Name' but it may be 'APP-Name'. No idea.

Community
  • 1
  • 1
DDDD
  • 3,790
  • 5
  • 33
  • 55
  • This seems to indicate its APP-Name, https://blog.logentries.com/wp-content/uploads/2014/08/Untitled.png – DDDD Apr 21 '16 at 22:44

1 Answers1

0

Your example has nothing to do with RFC5424, and looks more like RFC3164 (which is not a standard, but a collection of older best practices). Please read this: https://www.rfc-editor.org/rfc/rfc5424#appendix-A.1 then search for 'TAG ' - in essence, RFC5424 does not have a TAG field as such.

I am not familiar with Docker logging, but if I read https://docs.docker.com/engine/admin/logging/overview/#syslog-options , then check syslog-format - it seems that the format can be specified, also to be like rfc5424micro which I would recommend, but seems like in your case it is not configured like that.

Community
  • 1
  • 1
marcingo
  • 61
  • 2
  • 8