Hi David,
Thanks again for the reply. I'll try to delimit it at the
file level and see if that works by using ERE. The issue with syslogng was
doing it at the file level is the message was already broken by the time it
hit the file layer.
What would you personally recommend?
Thanks again
Sincerely,
Michael
On Mon, May 7, 2018, 6:14 PM David Lang, <[email protected]> wrote:
> with TCP, it doesn't matter how many messages are in a packet, or how many
> packets it takes to transmit one message.
>
> however, rsyslog either does octet counting or newline message separators.
> I
> don't believe that there is a way to split on arbitrary text as the
> message
> boundry. Can you just split on newlines?
>
> I'm surprised to hear that syslog-ng somehow gets hold of the packet
> boundries
> from the OS and exposes them to the config for TCP. I'm puzzled as to how
> the
> packet boundries would even be passed from the OS level to the application.
>
> David Lang
>
> On Mon, 7 May 2018, Michael Lopez via rsyslog wrote:
>
> > Date: Mon, 07 May 2018 22:06:11 +0000
> > From: Michael Lopez via rsyslog <[email protected]>
> > To: [email protected]
> > Cc: Michael Lopez <[email protected]>
> > Subject: [rsyslog] Multiple messages 1 packet.
> >
> > Hi All,
> > I'm currently using syslogng to resolve an issue of which when
> > this specific device sends it's syslog msgs there will be multiple
> messages
> > into the packet.
> >
> >
> > With syslogng pe I have the following input:
> > source s_net { network(ip("0.0.0.0") port("514") transport("tcp")
> >
> multi-line-prefix("^<[0-9]{2}>(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)")
> > flags(validate-utf8)); };
> >
> >
> > This splits the packet into 2 or 3 messages depending on the starting
> > delimited and wondering if rsyslog would be able to do the same before
> > hitting onfile.
> >
> > Example of a payload TCPDUMP
> > *START OF PACKET*
> > *Timestamp ip header etc....*
> > *<11> May 07 18:00:01 HOST XXXXXXXXXXX*
> > *<13> May 07 18:00:01 HOST YYYYYYYYYYYY*
> > *END OF PACKET*
> >
> >
> >
> > Any help would appreciated.
> >
> > Sincerely,
> > Michael
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> >
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
