Just getting used to Graylog, but here's my 2 cents: My boss slapped graylog and nxlog onto our workstations and said "this stuff looks swell, please make it work" I noticed he must have copy/pasted some default configs for nxlog and generic extractors for graylog. What I see in graylog reminds me of your situation. Getting a full message, that gets truncated into a "message" field. Only difference is the remaining data from the "full message" gets sorted into half a dozen other fields. I suspect this is the handiwork of the generic extractors..? So the moral of my story is: I wouldn't worry about the truncation, maybe just get some extractors that will get the remaining data from the full message into fields. E.g. we use cisco devices to I'm pretty sure my boss just googled "uber graylog cisco extractors" lol and pasted them in (into the import section). So ya. gl.
On Tuesday, June 23, 2015 at 7:45:16 PM UTC-5, Pete GS wrote: > > Hi all, > > I'm sending my VMware vCenter server logs and Windows event logs into > Graylog using nxlog-ce to send to GELF UDP inputs. > > I'm getting confused as to why the "message" field is truncated compared > with the "full_message". > > At this point I have not tried defining any fields in nxlog for these nor > have I defined any extractors on the inputs. > > What can cause these messages to be truncated? I'm assuming Graylog is > trying to process these into various fields which is leading to the > truncated message but I'm not sure how I can overcome this. > > Here's an example: > > full_message: vpxd2015-06-24T10:36:18.302+10:00 info vpxd[10384] > [Originator@6876 sub=vpxLro > opID=opId-f89b4b1a-bd95-48fa-8193-d7f494ae37b2-3d-5a] [VpxLRO] -- FINISH > task-internal-2506 > > message: vpxd2015-06-24T10:36:18.302+10:00 info vpxd[10384] [Originator@6 > > I am seeing the same behaviour for the Windows events and here's an > example: > > full_message: The system call to get account information completed. > CN=VMM01,CN=Computers,DC=lab,DC=melbourneit,DC=com The call completed in 0 > milliseconds. > > message: The system call to get account information completed. > CN=VMM01 > > Here are the two relevant inputs used in nxlog.conf: > > <Input InEvents> > Module im_msvistalog > EXEC if $ObjectName =~ /\\Nimsoft\\probes\\/ drop(); > </Input> > > <Input VPXD> > Module im_file > File "C:\\ProgramData\\VMware\\VMware > VirtualCenter\\Logs\\vpxd-[0-9]*.log" > SavePos TRUE > ReadFromLast TRUE > Exec $Message = 'vpxd' + $raw_event; > </Input> > > I'm guessing It's probably going to be something as simple as defining > fields in nxlog but I'm not real sure on that and am hoping someone else > has come across this and has a solution or at least some pointers in the > right direction. > > Any help with this would be greatly appreciated! > > Cheers, Pete > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
