What’s causing rsyslog to log $msg**INVALID PROPERTY NAME** instead of the message contents from sonicwall devices


I have a pair of sonicwall devices pointed at an rsyslog (v4.6.2) instance that are apparently formatting their messages unagreeably for the mysql plugin.

The rsyslog instance logs other devices without issue (linux servers and some switches) but the message portion for the sonicwall devices comes back as


The rest of the message is logged correctly (time, source, facility etc)

Looking at the rsyslog debug log, I see this on reciept of the message

timestamp: Called action, logging to ommysql.so

timestamp: invalid property id: '0'

If I also log to the recommended "debug" template (file based), the result is similar to the following:

FROMHOST: 'X.X.X.X', HOSTNAME: 'Real Hostname', PRI: 129,
syslogtag 'id=firewall', programname: 'id=firewall', APP-NAME: 'id=firewall', PROCID: '-', MSGID: '-',

TIMESTAMP: 'Jan 31 14:10:12', STRUCTURED-DATA: '-',

msg: ' sn=0017C5272ED0 time="2012-01-31 14:10:13" fw=X.X.X.X pri=1 c=32 m=608 msg="IPS

Detection Alert: INFO SNMP Access (UDP)" sid=748 ipscat=INFO ipspri=3 n=0 src=X.X.X.X:LAN:DNS_NAME dst=X.X.X.X:161:PRINTERS:'

rawmsg: '<129>id=firewall sn=0017C5272ED0 time="2012-01-31 14:10:13" fw=X.X.X.X pri=1 c=32 m=608 msg="IPS Detection Alert: INFO SNMP (UDP)" sid=748 ipscat=INFO ipspri=3 n=0 src=X.X.X.X:1052:LAN:DNS_NAME dst=X.X.X.X:161:PRINTERS:'

rsyslog is now up to version 6.3.3, but I can't find any confirmation my issue is corrected in a later version.

I'd like to stick with the official rpms from centos if possible, however the "debug template" looking ok leads me to believe it's an issue with the mysql plugin and upgrading may be my only option.

Before I go that route, any idea if this is something I can correct by altering the template I'm using or some other setting I missed ?

Best Answer

There is a typo in the sql template, $msg% instead of %msg%; which rsyslog tried to tell me, and I even quoted in my original question.