rgerhards at hq
Apr 19, 2012, 10:54 PM
Post #5 of 18
> -----Original Message-----
Re: Rsyslog splitting long-lines into multiple smaller one
[In reply to]
> From: rsyslog-bounces [at] lists [mailto:rsyslog-
> bounces [at] lists] On Behalf Of Jacob Steinberger
> Sent: Thursday, April 19, 2012 7:52 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Rsyslog splitting long-lines into multiple
> smaller one
> Maybe I'm missing something, but your description of "..." followed by
> multiple lines of errors, thus split lines and not a single line, is
> standard for java logging. Are you sure what you're seeing isn't just
> the expected output from java?
The problem is that the syslog appenders are seriously broken. The emit
malformed messages with wrong framing. The end result is what is being
As part of a training project, we have hacked together some appender which
worked at least in lab (YMMV). See here:
> Quoting Jo Rhett <jrhett [at] netconsonance>:
> > I can't answer your question, but I can give you a spec file for the
> > latest 5.8 version for CentOS 5 if you want.
> > On Apr 19, 2012, at 6:30 AM, Florian Crouzat wrote:
> >> This is my first message to the list so please be kind ;)
> >> For the short version of the question, go the bottom.
> >> I'm using CentOS, my tests have been made using 5.6 with
> >> rsyslog-3.22.1-3.el5_6.1 but I aim to install 6.2 with
> >> rsyslog-4.6.2-12.el6.x86_64 ... Old version in both case yeah...
> >> Java log through syslog using a syslog appender in log4j.
> >> I emulated a standard log line format using a log4j pattern, and it
> >> works just fine. Rsyslog add "timestamp %msg" and log4j add
> >> "hostname jboss: blablabla...".
> >> Eg: Apr 19 15:11:10 host.example.com jboss: INFO [ ]
> >> [StandardPctxCacheExitHandler ] - handling standard transaction
> >> expiration for cache id 06570496120419CJ4YAB1
> >> I'm using a log analyser (ossec) who knows how to decode a jboss
> >> log when matching its pattern, but with long-lines, it seems that
> >> something truncate them and create multiple-lines. The first ends
> >> with "...".
> >> It means that each splitted line isn't logged through log4j and
> >> doesn't have the pattern I defined ==> I can't parse it, ossec goes
> >> crazy, and a bunch of stuff don't work.
> >> My question in short: is there a way to tell rsyslogd not to split
> >> my long-lines into different smaller ones ?
> >> I tried 3 different thing:
> >> $template JbossFormattest1,"%timegenerated% %msg:0:$%\n"
> >> $template JbossFormattest3,"%timegenerated% %msg:0:3000%\n"
> >> $template JbossFormattest2,"%timegenerated% %msg:drop-cc:%\n"
> >> Sadly, none of them worked.
> >> I'm hoping for some ENV variables, and not to recompile changing a
> >> #define and/or tweaking my kernel.
> >> In the worst case, I'll extract my dynamic log4j pattern in a
> >> different rsyslog templates per server as %HOSTNAME% would be
> >> localhost.localdomain.
> >> --
> >> Cheers,
> >> Florian Crouzat
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> > --
> > Jo Rhett
> > Net Consonance : consonant endings by net philanthropy, open source
> > and other randomness
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> rsyslog mailing list
> What's up with rsyslog? Follow https://twitter.com/rgerhards
rsyslog mailing list
What's up with rsyslog? Follow https://twitter.com/rgerhards