Rsyslog custom imfile, multiline sending as separate messages on remote server
by bhanupraveeng from LinuxQuestions.org on (#590S8)
Hello,
I am having a custom log file which i need to send to remote server with start and end tags.
My log file:
Code:<exclusive-start
1
<exclusive-end
<exclusive-start
2
<exclusive-end
assdaddas
<exclusive-start
3
<exclusive-endMy rsyslog.conf file:
Code:module(load = "imfile")
input(
type = "imfile"
file = "/opt/splunk/other/rsysloginput/gc-log.log"
Tag = "gclog"
addMetadata="on"
escapelf="off"
startmsg.regex="^<exclusive-start"
endmsg.regex="^<exclusive-end"
)
:programname, contains, "gclog" /opt/splunk/other/rsysloginput/gcfilteroutput.logSo in same server, my output log shows as below which is correct, each multiline message as single message:
Code:Oct 11 11:43:40 lla10703 gclog <exclusive-start
1
<exclusive-end
Oct 11 11:44:40 lla10703 gclog <exclusive-start
2
<exclusive-end
assdaddas
Oct 11 11:44:40 lla10703 gclog <exclusive-start
3
<exclusive-endNow the same code when forwarded to remote server as below:
Code:*.* action(type="omfwd" target="11.245.4.12" port="10514" protocol="tcp"
action.resumeRetryCount="100"
queue.type="linkedList" queue.size="10000")Then multiline message is splitting into single message for every line.
Code:Oct 11 16:05:33 lla10703 gclog <exclusive-start#015
Oct 11 16:05:33 lla10701 rsyslogd: Framing Error in received TCP message: delimiter is not SP but has ASCII value 13. [v8.24.
Oct 11 16:05:35 lla10703.amberroad.com #012<exclusive-end#015#012<
Oct 11 16:05:00 lla10703.amberroad.com
Oct 11 16:05:35 lla10703 journal: No devices in use
Oct 11 16:05:35 lla10703.amberroad.com , exitKindly let me know how to overcome this issue?
I am having a custom log file which i need to send to remote server with start and end tags.
My log file:
Code:<exclusive-start
1
<exclusive-end
<exclusive-start
2
<exclusive-end
assdaddas
<exclusive-start
3
<exclusive-endMy rsyslog.conf file:
Code:module(load = "imfile")
input(
type = "imfile"
file = "/opt/splunk/other/rsysloginput/gc-log.log"
Tag = "gclog"
addMetadata="on"
escapelf="off"
startmsg.regex="^<exclusive-start"
endmsg.regex="^<exclusive-end"
)
:programname, contains, "gclog" /opt/splunk/other/rsysloginput/gcfilteroutput.logSo in same server, my output log shows as below which is correct, each multiline message as single message:
Code:Oct 11 11:43:40 lla10703 gclog <exclusive-start
1
<exclusive-end
Oct 11 11:44:40 lla10703 gclog <exclusive-start
2
<exclusive-end
assdaddas
Oct 11 11:44:40 lla10703 gclog <exclusive-start
3
<exclusive-endNow the same code when forwarded to remote server as below:
Code:*.* action(type="omfwd" target="11.245.4.12" port="10514" protocol="tcp"
action.resumeRetryCount="100"
queue.type="linkedList" queue.size="10000")Then multiline message is splitting into single message for every line.
Code:Oct 11 16:05:33 lla10703 gclog <exclusive-start#015
Oct 11 16:05:33 lla10701 rsyslogd: Framing Error in received TCP message: delimiter is not SP but has ASCII value 13. [v8.24.
Oct 11 16:05:35 lla10703.amberroad.com #012<exclusive-end#015#012<
Oct 11 16:05:00 lla10703.amberroad.com
Oct 11 16:05:35 lla10703 journal: No devices in use
Oct 11 16:05:35 lla10703.amberroad.com , exitKindly let me know how to overcome this issue?