RSYSLOG Record Number field definition

[JFS21045]

I am parsing logs and have a rsyslog record append with the following format:

Dec 15 00:00:00 FQDN.com ###: Regular syslog message

The ### can be from 3 to 9 digits long integer and seems to be a one up type of scheme. 

I cannot find it in the rsyslog docs. 

I was told it was a rsyslog log cat number but I cannot find any reference to that in the docs either.

Thanks

[deanwebb]

A few questions come to mind:

What version of rsyslog is this?

Is debugging turned on somewhere?

The first question is in case the second one isn't "yes" so I can be sure to go through the appropriate version's man pages and support. But if the second line is "yes", then see if those cat numbers go away when debugging is turned off. Whenever I see data that is hard to figure out, I look to see if it's because someone cranked debug up somewhere.

[JFS21045]

Hi Dean,
Not sure what version of rsyslog.
The logs I am getting are all level 6 or higher, so debugging is off (at the device syslog) but not sure if the rsyslog server has it on.  (The rsyslog server is receiving the logs from an f5 device that is aggregating router logs and forwarding them to the rsyslog server which is forwarding them to my team...)
Thanks!

[deanwebb]

Ah, that's an interesting piece... is it possible the f5 is inserting info in the syslog? What do the logs look like before they hit the f5?

[Otanx]

As you are finding out the syslog standard is pretty broad. Basically anything goes. What you are probably looking at is a sequence number from the originating device. Basically just a counter on how many log messages the device has sent. Typically it is reset on a reboot, or rolls over at some value, 65535 is pretty common. There isn't much use for the field besides confirming that your syslog server got all the log messages from the device. Of course if you are missing some there isn't a way to go get the missing logs anyway.

-Otanx