I will post a few when I get to the office Monday. It case it rings any bells about a previous problem, these are Foundstone CounterAct logs..
On Fri, Sep 6, 2013 at 10:58 PM, David Lang <[email protected]> wrote: > do you have any examples you can show us? > > David Lang > > > On Fri, 6 Sep 2013, Jeremy Hoel wrote: > >> I've got 64K set for both ends. And I've also tried forwarding via >> tcp with and without octet-counted' and that didn't seem to help >> either. >> >> On Fri, Sep 6, 2013 at 10:47 PM, David Lang <[email protected]> wrote: >>> >>> try changing the max log size parameter on both ends. Depending on what >>> versions you are running, the default size is either 1k or 2k, messages >>> longer than that get broken into multiple messages. >>> >>> David Lang >>> >>> On Sat, 7 Sep 2013, Jeremy Hoel wrote: >>> >>>> Date: Sat, 7 Sep 2013 00:09:46 +0000 >>>> From: Jeremy Hoel <[email protected]> >>>> Reply-To: rsyslog-users <[email protected]> >>>> To: [email protected] >>>> Subject: [rsyslog] issue with line breaks and templates. >>>> >>>> >>>> I have some logs going to one rsyslog server (srvA) and they get >>>> written to disk, then some messages get stopped and then the remaining >>>> ones get forwarded to srvB. Some messages get really large with a lot >>>> of text after "Reason: ".. so I filter things before and to Reason and >>>> put that in a template >>>> >>>> on srvB I have the following: >>>> >>>> ---- ca.conf---- >>>> $Template clean,"%msg:R,ERE,0,FIELD:^.*Reason\:--end%" >>>> template (name="calogs" type="string" >>>> string="/opt/syslogs/CA/%hostname%") >>>> ruleset(name="ca"){ >>>> # action(type="omfile" DirCreateMode="0755" FileCreateMode="0644" >>>> dynafile="calogs" template="clean") >>>> action(type="omfile" DirCreateMode="0755" FileCreateMode="0644" >>>> dynafile="calogs") >>>> } >>>> >>>> input(type="imudp" port="10517" ruleset="ca") >>>> ---- ca.conf---- >>>> >>>> When I do not have the template enabled, messages come in, but the >>>> large ones get broken up and end up in multiple files based on the >>>> next word after the break. When I have the template enabled the >>>> messages come in and the part after 'Reason:' gets dropped, but then >>>> the next message starts right after, merged onto the same message >>>> line. >>>> >>>> I tried having a \n at the end of the line and that didn't seem to help >>>> either. >>>> >>>> Any ideas or is there a better way to approach the problem? >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T >>>> LIKE THAT. >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
