Thank very much for your reply David, its helpful. my goal is make jboss
stacktrace as one event in splunk.
If we can make it one long line, its great, its should be work in splunk
report, even timestamp theres.
what the rsyslog version that you modification for the imfile module
that combine all that lines into one very long message? can you give me
the configuration sample? because i already play with imfile.
did you have any sample configuration to send them to a program to do
conversion with sed?
can we just show the time on rsyslog date format? or using 'if' if the
first character is space we will make its one line.
thank very much for any help, 4 days i already find out about this
issue, with my bos always watching at me :D
Best regards,
Heriyanto
On 09/23/2011 03:24 AM, [email protected] wrote:
On Thu, 22 Sep 2011, heriyanto wrote:
Dear All,
rsyslog its very cool, i already using for all my server several
country. Its very help to centralize our log files.
But i still get stuck when try to make rsyslog log just like JBOSS AS
output log(server.log,etc).
1. Can we make just send the file to another host using rsyslog?
without any additional(date,time,host,progname,etc) i already imfile
module but its still give timestamp :( double timestamp :(
2. Can we remove timestamp from rsyslog to output?
3. Can we make rsyslog just showing date and messages, without date,
host and progname? template do like that?
4. Any template for JBOSS AS stacktrace?
Great appreciate every reply. Thank yours for help.
you really don't want to try and mess with changing the over-the-wire
protocol, but you can setup a template for the far side that ignores
the timestamp that rsyslog puts in it (which I think is what you are
saying for #2 and #3)
I'm not sure what you are looking for for #4
one thing to remember, syslog is based on line-formatted messages.
many Java error messages are significantly more complex (in my limited
experience they are many lines, if not pages long, with all but the
first line indented). To help with this I wrote a modification for the
imfile module that could combine all these lines into one very long
message. As this gets sent the newlines in the message will be
replaced by and escaped version of it (#nnn), so it will be one long
line on the far side. I don't know of any way to change them back in
the output template, but it would be pretty trivial to send them to a
program to do the conversion (it doesn't need to be some custom
program, sed will do the job)
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
