Hi David,
Thanks for the reply.
The issue I had in syslogng and which ultimately will be the same issue in
rsyslog is when receiving the packet with multiple messages the first
message would have a header and the second would not. So what happened is
the first message would go to the assigned hostname file but the second
message would go to the syslogng server hostname and this is why I was
regexing at the network input.
Sincerely,
Michael
Michael Lopez | Mobile: 647-290-1214
On May 8, 2018 2:09 PM, "David Lang" <[email protected]> wrote:
On Tue, 8 May 2018, Michael Lopez wrote:
> Hi David,
> Thanks again for the reply. I'll try to delimit it at the
> file level and see if that works by using ERE. The issue with syslogng was
> doing it at the file level is the message was already broken by the time
it
> hit the file layer.
how is the message being generated?
the API for sending/receiving data via TCP doesn't let you know where the
packet
boundries are as far as I know.
If all your logs are single lines, then they should work by default.
If you are trying to send multi-line logs, you have two choices with rsyslog
1. escape the newlines in the middle of the messages before you send them
2. use the octet counting mode to send the logs via TCP
personally, I would use the first method, because there are a lot of things
in
log processing that assume that messages are a single line, and while you
can
use octet counting to make rsyslog handle them, having to fix this in every
tool
you end up using is going to be more of a pain than having the escaped
character
sequence in the middle of your message.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
