I don't remember the version that this got into, if you use the latest
stable 5.x release you should be good.
if you are wanting to get things into splunk, you have two options.
1. use rsyslog to combine everything into one line and send it in the
one-line format to splunk. to do this 'right' you should teach splunk that
#nnn is a control character and should be treated as a separator.
2. run a splunk agent against the native log file and let it put things
into splunk. you are probably better off running the splunk agent where
your log file is than you are to try to copy the logfile to a different
machine and have it processed there.
David Lang
On Fri, 23 Sep 2011, heriyanto wrote:
Thank very much for your reply David, its helpful. my goal is make jboss
stacktrace as one event in splunk.
If we can make it one long line, its great, its should be work in splunk
report, even timestamp theres.
what the rsyslog version that you modification for the imfile module that
combine all that lines into one very long message? can you give me the
configuration sample? because i already play with imfile.
did you have any sample configuration to send them to a program to do
conversion with sed?
can we just show the time on rsyslog date format? or using 'if' if the first
character is space we will make its one line.
thank very much for any help, 4 days i already find out about this issue,
with my bos always watching at me :D
Best regards,
Heriyanto
On 09/23/2011 03:24 AM, [email protected] wrote:
On Thu, 22 Sep 2011, heriyanto wrote:
Dear All,
rsyslog its very cool, i already using for all my server several country.
Its very help to centralize our log files.
But i still get stuck when try to make rsyslog log just like JBOSS AS
output log(server.log,etc).
1. Can we make just send the file to another host using rsyslog? without
any additional(date,time,host,progname,etc) i already imfile module but
its still give timestamp :( double timestamp :(
2. Can we remove timestamp from rsyslog to output?
3. Can we make rsyslog just showing date and messages, without date, host
and progname? template do like that?
4. Any template for JBOSS AS stacktrace?
Great appreciate every reply. Thank yours for help.
you really don't want to try and mess with changing the over-the-wire
protocol, but you can setup a template for the far side that ignores the
timestamp that rsyslog puts in it (which I think is what you are saying for
#2 and #3)
I'm not sure what you are looking for for #4
one thing to remember, syslog is based on line-formatted messages. many
Java error messages are significantly more complex (in my limited
experience they are many lines, if not pages long, with all but the first
line indented). To help with this I wrote a modification for the imfile
module that could combine all these lines into one very long message. As
this gets sent the newlines in the message will be replaced by and escaped
version of it (#nnn), so it will be one long line on the far side. I don't
know of any way to change them back in the output template, but it would be
pretty trivial to send them to a program to do the conversion (it doesn't
need to be some custom program, sed will do the job)
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
