I understand what you're saying... I just looked again now and I actually didn't realise I could create an extractor from the "full_message" field.
Thanks! Cheers, Pete On Friday, 26 June 2015 13:42:41 UTC+10, slhac tivist wrote: > > Just getting used to Graylog, but here's my 2 cents: > > My boss slapped graylog and nxlog onto our workstations and said "this > stuff looks swell, please make it work" > I noticed he must have copy/pasted some default configs for nxlog and > generic extractors for graylog. > What I see in graylog reminds me of your situation. Getting a full > message, that gets truncated into a "message" field. Only difference is the > remaining data from the "full message" gets sorted into half a dozen other > fields. I suspect this is the handiwork of the generic extractors..? > So the moral of my story is: I wouldn't worry about the truncation, maybe > just get some extractors that will get the remaining data from the full > message into fields. E.g. we use cisco devices to I'm pretty sure my boss > just googled "uber graylog cisco extractors" lol and pasted them in (into > the import section). So ya. gl. > > On Tuesday, June 23, 2015 at 7:45:16 PM UTC-5, Pete GS wrote: >> >> Hi all, >> >> I'm sending my VMware vCenter server logs and Windows event logs into >> Graylog using nxlog-ce to send to GELF UDP inputs. >> >> I'm getting confused as to why the "message" field is truncated compared >> with the "full_message". >> >> At this point I have not tried defining any fields in nxlog for these nor >> have I defined any extractors on the inputs. >> >> What can cause these messages to be truncated? I'm assuming Graylog is >> trying to process these into various fields which is leading to the >> truncated message but I'm not sure how I can overcome this. >> >> Here's an example: >> >> full_message: vpxd2015-06-24T10:36:18.302+10:00 info vpxd[10384] >> [Originator@6876 sub=vpxLro >> opID=opId-f89b4b1a-bd95-48fa-8193-d7f494ae37b2-3d-5a] [VpxLRO] -- FINISH >> task-internal-2506 >> >> message: vpxd2015-06-24T10:36:18.302+10:00 info vpxd[10384] [Originator@6 >> >> I am seeing the same behaviour for the Windows events and here's an >> example: >> >> full_message: The system call to get account information completed. >> CN=VMM01,CN=Computers,DC=lab,DC=melbourneit,DC=com The call completed in >> 0 milliseconds. >> >> message: The system call to get account information completed. >> CN=VMM01 >> >> Here are the two relevant inputs used in nxlog.conf: >> >> <Input InEvents> >> Module im_msvistalog >> EXEC if $ObjectName =~ /\\Nimsoft\\probes\\/ drop(); >> </Input> >> >> <Input VPXD> >> Module im_file >> File "C:\\ProgramData\\VMware\\VMware >> VirtualCenter\\Logs\\vpxd-[0-9]*.log" >> SavePos TRUE >> ReadFromLast TRUE >> Exec $Message = 'vpxd' + $raw_event; >> </Input> >> >> I'm guessing It's probably going to be something as simple as defining >> fields in nxlog but I'm not real sure on that and am hoping someone else >> has come across this and has a solution or at least some pointers in the >> right direction. >> >> Any help with this would be greatly appreciated! >> >> Cheers, Pete >> > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
