we really do need an option that will cause the imfile module to output an
escape sequence instead of newline when reading in multiline logs, I have been
meaning to throw something together to do this for a while, but haven't gotten
around to it (in part, because I wasn't sure if it was a real problem or just a
theoretical problem)
David Lang
On Mon, 2 Sep 2013, Rainer Gerhards wrote:
If you want to ship messages with embedded LF in them, you can use
octet-counted framing, which solves that problem. It's optional in rsyslog
and turned off by default as most syslogd's do not understand it.
HTH
Rainer
On Mon, Sep 2, 2013 at 8:56 AM, Radu Gheorghe <[email protected]>wrote:
Hello,
AFAIK this is a design flaw of syslog over TCP (at least the RFC 3164).
Because log lines sent over TCP are delimited by a new line.
So far I've sent multi-line logs successfully via UDP, by disabling control
character escaping on the receiving end:
http://www.rsyslog.com/doc/rsconf1_escapecontrolcharactersonreceive.html
But other options should also work. I didn't test them all, but this thread
might give you the pointers you need:
http://www.gossamer-threads.com/lists/rsyslog/users/9619
Best regards,
Radu
2013/9/2 Bijohn Bijohn <[email protected]>
Hi,
I am using rsyslog to ship logs to centralized log server. Having *issues
with logs having more than one line*.
Tried $InputFileReadMode 1 in client.
--- If I send logs to a centralized log server, it will send the first
line
only. All the other lines are ignored.
--- If I write logs to another file in same client machine, it appends
time stamp to first line but, *still the log is multi-line. I believe it
should be a one liner here escaping new line char.*
client version : rsyslogd 5.8.6
Server version: rsyslogd 5.8.11
*My client config:*
$ModLoad imfile
$InputFileName /tmp/ne.error.log
$InputFileTag test.ne.ne-error
$InputFileStateFile test.ne.ne-error
$InputFileReadMode 1
$InputRunFileMonitor
if $syslogtag == 'test.ne.ne-error' then @@172.17.7.9:514
#& ~
if $syslogtag == 'test.ne.ne-error' then /tmp/ne.error.new
& ~
*My server (*172.17.7.9*) config:*
$template test.ne.ne-error,"/tmp/ne-test.log"
if $syslogtag == 'test.ne.ne-error' then ?test.ne.ne-error
& ~
Please point out if I am doing anything wrong.
--------------------
Tried with following as log:
Newline 1
test1
test2
test3
Newline 2
test4
test5
------------------
In same server, syslog write it as:
Aug 30 17:47:50 myhost test.ne.ne-error Newline 1
test1
test2
test3
Aug 30 17:47:50 myhost test.ne.ne-error Newline 2
test4
test5
--------------------
In remote log server it was like this:
Aug 30 17:47:50 myhost test.ne.ne-error Newline 1
Aug 30 17:47:50 myhost test.ne.ne-error Newline 2
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
