Re: [rsyslog] Multiple messages 1 packet.

Mon, 07 May 2018 15:15:10 -0700

with TCP, it doesn't matter how many messages are in a packet, or how many packets it takes to transmit one message.
however, rsyslog either does octet counting or newline message separators. I don't believe that there is a way to split on arbitrary text as the message boundry. Can you just split on newlines? 


I'm surprised to hear that syslog-ng somehow gets hold of the packet boundries 
from the OS and exposes them to the config for TCP. I'm puzzled as to how the 
packet boundries would even be passed from the OS level to the application.


David Lang

On Mon, 7 May 2018, Michael Lopez via rsyslog wrote:


Date: Mon, 07 May 2018 22:06:11 +0000
From: Michael Lopez via rsyslog <[email protected]>
To: [email protected]
Cc: Michael Lopez <[email protected]>
Subject: [rsyslog] Multiple messages 1 packet.

Hi All,
         I'm currently using syslogng to resolve an issue of which when
this specific device sends it's syslog msgs there will be multiple messages
into the packet.


With syslogng pe I have the following input:
source s_net { network(ip("0.0.0.0") port("514") transport("tcp")
multi-line-prefix("^<[0-9]{2}>(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)")
flags(validate-utf8)); };


This splits the packet into 2 or 3 messages depending on the starting
delimited and wondering if rsyslog would be able to do the same before
hitting onfile.

Example of a payload TCPDUMP
*START OF PACKET*
*Timestamp ip header etc....*
*<11> May 07 18:00:01 HOST XXXXXXXXXXX*
*<13> May 07 18:00:01 HOST YYYYYYYYYYYY*
*END OF PACKET*



Any help would appreciated.

Sincerely,
                Michael
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.






















					Reply via email to