On 8/5/17 11:28 PM, David Lang wrote:
on the receiver, write a log with the format rawmsg or use the RSYSLOG_DebugFormat and look at the rawmsg line there. Let's see exactly what is being sent to see if the data is being lost at transmit or on reception.


Personally, I have my senders reformat the data so that the body of the message is in JSON, and then I create a $!trusted variable that I have contain various metadata. each machine that processes the message adds to the metadata (when it was received, what machine recived it, what IP it was recevied from,etc)

This is a good place to put high res timing info or syslogtag info to make sure that nothing mangles it in processing. On the final receiver, you then parse the JSON and have access to everything you every want.

This is an indirect way of solving the problem you have, but it solves a bunch of other problems at the same time, and doesn't require the SyslogProtocol123Format to get the timestamp you want (you may even just include the timestamp in various formats so you don't have to mess with changing it's format later)

David Lang

I responded back to my original email a few minutes ago before seeing your reply, but it looks like setting this global option on the clients will do what I need:

global (
    parser.permitSlashInProgramName="on"
)

That said, thank you for the tips. I know I'm eventually going to have to look at using JSON since most of the popular tool chains I'm researching seem to prefer it (e.g., Elastic Stack, Graylog), so I'm definitely interested in learning more about that approach.

Are there any good guides that cover the steps you mention in detail? I understand the basic idea of what you're suggesting, but perhaps not the step by step implementation details.

Thank you for your help.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to