Re: [rsyslog] drop messages without timestamp

2017-04-24 Thread mostolog--- via rsyslog 
Perhaps I didn't understood properly and what you really need is 
startmsg.regex="WHATEVER" ?


rsyslog will consider the message is part of the previous if it doesn't 
start with WHATEVER.



El 24/04/17 a las 18:46, Tim Mori via rsyslog escribió:

Not sure where I would set this. The logs are broken on the ESX hosts and 
getting log forwarding on ESX configured is not very straightforward, but I can 
check on it. At first glance, I'm not seeing this being documented anywhere, 
but that isn't surprising.

Thanks,

Tim



-Original Message-
From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of 
mostolog--- via rsyslog
Sent: Monday, April 24, 2017 10:05 AM
To: rsyslog-users 
Cc: mosto...@gmail.com
Subject: Re: [rsyslog] drop messages without timestamp

FYI: Java stack traces tend to be quite long, and a few weeks ago we had to 
increase maxmessagesize to 64KB. Would that be enough for your needs?


El 21/04/17 a las 09:18, David Lang escribió:

unless it's a massive log message, the best thing to do is probably
increase maxmessagesize on the receiving systems so that they can
handle the full log message.

David Lang

On Tue, 11 Apr 2017, Tim Mori via rsyslog wrote:


Date: Tue, 11 Apr 2017 21:24:11 +
From: Tim Mori via rsyslog 
To: "rsyslog@lists.adiscon.com" 
Cc: Tim Mori 
Subject: [rsyslog] drop messages without timestamp

I’m trying to work out a problem with the logs from our ESX servers.
It seems for one of the logs, the message can overrun some maximum
and it dumps the remaining part of the message on to the next line.
This is a problem because these message fragments break the
organization set via dynafile and of course they don’t parse.

The only thing I can really match on is that the fragment doesn’t
lead with a timestamp.

I’m wondering if there’s any easy way to drop this message. In
writing this out, I’m not sure basing it on timestamp would be the
best idea as some messages may not immediately start with one. I’m
not sure I can use a variable like timestamp as a condition though.

Tim Mori
SAS Solutions OnDemand
Systems Engineer ▪ Tel: + 1 919 531 1774 ▪
tim.m...@sas.com
100 SAS Campus Drive ▪ Cary ▪ NC ▪ 27513-2414
www.sas.com


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] drop messages without timestamp

2017-04-24 Thread Tim Mori via rsyslog 
Not sure where I would set this. The logs are broken on the ESX hosts and 
getting log forwarding on ESX configured is not very straightforward, but I can 
check on it. At first glance, I'm not seeing this being documented anywhere, 
but that isn't surprising.

Thanks,

Tim



-Original Message-
From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of 
mostolog--- via rsyslog
Sent: Monday, April 24, 2017 10:05 AM
To: rsyslog-users 
Cc: mosto...@gmail.com
Subject: Re: [rsyslog] drop messages without timestamp

FYI: Java stack traces tend to be quite long, and a few weeks ago we had to 
increase maxmessagesize to 64KB. Would that be enough for your needs?


El 21/04/17 a las 09:18, David Lang escribió:
> unless it's a massive log message, the best thing to do is probably 
> increase maxmessagesize on the receiving systems so that they can 
> handle the full log message.
>
> David Lang
>
> On Tue, 11 Apr 2017, Tim Mori via rsyslog wrote:
>
>> Date: Tue, 11 Apr 2017 21:24:11 +
>> From: Tim Mori via rsyslog 
>> To: "rsyslog@lists.adiscon.com" 
>> Cc: Tim Mori 
>> Subject: [rsyslog] drop messages without timestamp
>>
>> I’m trying to work out a problem with the logs from our ESX servers. 
>> It seems for one of the logs, the message can overrun some maximum 
>> and it dumps the remaining part of the message on to the next line. 
>> This is a problem because these message fragments break the 
>> organization set via dynafile and of course they don’t parse.
>>
>> The only thing I can really match on is that the fragment doesn’t 
>> lead with a timestamp.
>>
>> I’m wondering if there’s any easy way to drop this message. In 
>> writing this out, I’m not sure basing it on timestamp would be the 
>> best idea as some messages may not immediately start with one. I’m 
>> not sure I can use a variable like timestamp as a condition though.
>>
>> Tim Mori
>> SAS Solutions OnDemand
>> Systems Engineer ▪ Tel: + 1 919 531 1774 ▪ 
>> tim.m...@sas.com
>> 100 SAS Campus Drive ▪ Cary ▪ NC ▪ 27513-2414
>> www.sas.com
>>
>>
>> ___
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT 
>> POST if you DON'T LIKE THAT.
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST 
> if you DON'T LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] drop messages without timestamp

2017-04-24 Thread mostolog--- via rsyslog 
FYI: Java stack traces tend to be quite long, and a few weeks ago we had 
to increase maxmessagesize to 64KB. Would that be enough for your needs?



El 21/04/17 a las 09:18, David Lang escribió:
unless it's a massive log message, the best thing to do is probably 
increase maxmessagesize on the receiving systems so that they can 
handle the full log message.


David Lang

On Tue, 11 Apr 2017, Tim Mori via rsyslog wrote:


Date: Tue, 11 Apr 2017 21:24:11 +
From: Tim Mori via rsyslog 
To: "rsyslog@lists.adiscon.com" 
Cc: Tim Mori 
Subject: [rsyslog] drop messages without timestamp

I’m trying to work out a problem with the logs from our ESX servers. 
It seems for one of the logs, the message can overrun some maximum 
and it dumps the remaining part of the message on to the next line. 
This is a problem because these message fragments break the 
organization set via dynafile and of course they don’t parse.


The only thing I can really match on is that the fragment doesn’t 
lead with a timestamp.


I’m wondering if there’s any easy way to drop this message. In 
writing this out, I’m not sure basing it on timestamp would be the 
best idea as some messages may not immediately start with one. I’m 
not sure I can use a variable like timestamp as a condition though.


Tim Mori
SAS Solutions OnDemand
Systems Engineer ▪ Tel: + 1 919 531 1774 ▪ 
tim.m...@sas.com

100 SAS Campus Drive ▪ Cary ▪ NC ▪ 27513-2414
www.sas.com


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT 
POST if you DON'T LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST 
if you DON'T LIKE THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.