Perhaps I didn't understood properly and what you really need is
startmsg.regex="WHATEVER" ?
rsyslog will consider the message is part of the previous if it doesn't
start with WHATEVER.
El 24/04/17 a las 18:46, Tim Mori via rsyslog escribió:
Not sure where I would set this. The logs are broken on the ESX hosts and
getting log forwarding on ESX configured is not very straightforward, but I can
check on it. At first glance, I'm not seeing this being documented anywhere,
but that isn't surprising.
Thanks,
Tim
-----Original Message-----
From: rsyslog [mailto:[email protected]] On Behalf Of
mostolog--- via rsyslog
Sent: Monday, April 24, 2017 10:05 AM
To: rsyslog-users <[email protected]>
Cc: [email protected]
Subject: Re: [rsyslog] drop messages without timestamp
FYI: Java stack traces tend to be quite long, and a few weeks ago we had to
increase maxmessagesize to 64KB. Would that be enough for your needs?
El 21/04/17 a las 09:18, David Lang escribió:
unless it's a massive log message, the best thing to do is probably
increase maxmessagesize on the receiving systems so that they can
handle the full log message.
David Lang
On Tue, 11 Apr 2017, Tim Mori via rsyslog wrote:
Date: Tue, 11 Apr 2017 21:24:11 +0000
From: Tim Mori via rsyslog <[email protected]>
To: "[email protected]" <[email protected]>
Cc: Tim Mori <[email protected]>
Subject: [rsyslog] drop messages without timestamp
I’m trying to work out a problem with the logs from our ESX servers.
It seems for one of the logs, the message can overrun some maximum
and it dumps the remaining part of the message on to the next line.
This is a problem because these message fragments break the
organization set via dynafile and of course they don’t parse.
The only thing I can really match on is that the fragment doesn’t
lead with a timestamp.
I’m wondering if there’s any easy way to drop this message. In
writing this out, I’m not sure basing it on timestamp would be the
best idea as some messages may not immediately start with one. I’m
not sure I can use a variable like timestamp as a condition though.
Tim Mori
SAS Solutions OnDemand
Systems Engineer ▪ Tel: + 1 919 531 1774 ▪
[email protected]<mailto:[email protected]>
100 SAS Campus Drive ▪ Cary ▪ NC ▪ 27513-2414
www.sas.com<http://www.sas.com>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
