NXLog search
Let's talk Start free
Let's talk Start free

GELF messages from Ubuntu are being truncated

Tags:
#1 dtilly

My Setup:



  • Graylog2 server to collect logs

  • Ubuntu machine running Zimbra sending logs from various Zimbra logfiles in GELF format

My problem:



  • Messaged received by Graylog are truncated.

Here is an actual message as it appeared on my Ubuntu server's "mailbox.log" file (please note that I have X'd out the email address):



2016-06-12 08:51:17,832 INFO  [ImapSSLServer-95] [name=XXXXXXX@XXX.org;ip=10.10.48.74;ua=iPod touch Mail/13C75;] imap - ID elapsed=0



Here is the log as received by Graylog:



2016-06-12 08:51:17,832 INFO [ImapSSLServer-95] [name=XXXXXXX



All message seem to be truncated after exactly the same number of characters. I cannot seem to figure this out and would love some help. Below I have pasted my nxlog.conf file:



## This is a sample configuration file. See the nxlog reference manual about the

## configuration options. It should be installed locally under

## /usr/share/doc/nxlog-ce/ and is also available online at

## http://nxlog.org/docs



########################################

# Global directives                    #

########################################

User nxlog

Group nxlog



LogFile /var/log/nxlog/nxlog.log

LogLevel INFO



########################################

# Modules                              #

########################################

<Extension gelf>

    Module      xm_gelf

</Extension>



<Extension syslog2>

    Module    xm_syslog

</Extension>



<Input mailbox.log>

        Module  im_file

        File    "/opt/zimbra/log/mailbox.log"

    InputType LineBased

    SavePos    TRUE

</Input>



<Input access_log>

    Module    im_file

    File    "/opt/zimbra/log/access_log*"

    SavePos True

</Input>



<Input audit.log>

    Module    im_file

    File    "/opt/zimbra/log/audit.log"

    SavePos    TRUE

</Input>



<Input clamd.log>

    Module    im_file

    File    "/opt/zimbra/log/clamd.log"

    SavePos    TRUE

</Input>



<Input freshclam.log>

    Module    im_file

    File    "/opt/zimbra/log/freshclam.log"

    SavePos    TRUE

</Input>



<Input mysql_error.log>

    Module    im_file

    File    "/opt/zimbra/log/mysql_error.log"

    SavePos TRUE

</Input>



<Input mail.log>

    Module    im_file

    File    "/var/log/mail.log"

    SavePos TRUE

</Input>



<Input zimbra.log>

    Module im_file

    File    "/var/log/zimbra.log"

    SavePos TRUE

</Input>



<Input syslog>

    Module im_file

    File    "/var/log/syslog"

    SavePos    TRUE

</Input>



<Input zimbra-stats.log>

    Module im_file

    File    "/var/log/zimbra-stats.log"

    SavePos TRUE

</Input>



<Output out>

    Module      om_udp

    Host        10.10.90.45

    Port        5407

    Exec    to_syslog_snare();

</Output>



<Output out2>

    Module    om_udp

    Host    10.10.90.45

    Port    5413

    OutputType    GELF

</Output>



########################################

# Routes                               #

########################################

<Route 1>

    Path        mailbox.log => out

</Route>



<Route 2>

    Path    access_log => out

</Route>



<Route 3>

    Path    audit.log => out

</Route>



<Route 4>

    Path    clamd.log => out

</Route>



<Route 5>

    Path    freshclam.log => out

</Route>



<Route 6>

    Path    mysql_error.log => out

</Route>



<Route 7

    Path    mail.log => out

</Route>



<Route 8>

    Path    zimbra.log => out

</Route>



<Route 9>

    Path    syslog => out2

</Route>



<Route 10>

    Path    zimbra-stats.log => out

</Route>



 


Permalink
#2 adm Nxlog ✓
#1 dtilly
My Setup: Graylog2 server to collect logs Ubuntu machine running Zimbra sending logs from various Zimbra logfiles in GELF format My problem: Messaged received by Graylog are truncated. Here is an actual message as it appeared on my Ubuntu server's "mailbox.log" file (please note that I have X'd out the email address): 2016-06-12 08:51:17,832 INFO  [ImapSSLServer-95] [name=XXXXXXX@XXX.org;ip=10.10.48.74;ua=iPod touch Mail/13C75;] imap - ID elapsed=0 Here is the log as received by Graylog: 2016-06-12 08:51:17,832 INFO [ImapSSLServer-95] [name=XXXXXXX All message seem to be truncated after exactly the same number of characters. I cannot seem to figure this out and would love some help. Below I have pasted my nxlog.conf file: ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally under ## /usr/share/doc/nxlog-ce/ and is also available online at ## http://nxlog.org/docs ######################################## # Global directives                    # ######################################## User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO ######################################## # Modules                              # ######################################## <Extension gelf>     Module      xm_gelf </Extension> <Extension syslog2>     Module    xm_syslog </Extension> <Input mailbox.log>         Module  im_file         File    "/opt/zimbra/log/mailbox.log"     InputType LineBased     SavePos    TRUE </Input> <Input access_log>     Module    im_file     File    "/opt/zimbra/log/access_log*"     SavePos True </Input> <Input audit.log>     Module    im_file     File    "/opt/zimbra/log/audit.log"     SavePos    TRUE </Input> <Input clamd.log>     Module    im_file     File    "/opt/zimbra/log/clamd.log"     SavePos    TRUE </Input> <Input freshclam.log>     Module    im_file     File    "/opt/zimbra/log/freshclam.log"     SavePos    TRUE </Input> <Input mysql_error.log>     Module    im_file     File    "/opt/zimbra/log/mysql_error.log"     SavePos TRUE </Input> <Input mail.log>     Module    im_file     File    "/var/log/mail.log"     SavePos TRUE </Input> <Input zimbra.log>     Module im_file     File    "/var/log/zimbra.log"     SavePos TRUE </Input> <Input syslog>     Module im_file     File    "/var/log/syslog"     SavePos    TRUE </Input> <Input zimbra-stats.log>     Module im_file     File    "/var/log/zimbra-stats.log"     SavePos TRUE </Input> <Output out>     Module      om_udp     Host        10.10.90.45     Port        5407     Exec    to_syslog_snare(); </Output> <Output out2>     Module    om_udp     Host    10.10.90.45     Port    5413     OutputType    GELF </Output> ######################################## # Routes                               # ######################################## <Route 1>     Path        mailbox.log => out </Route> <Route 2>     Path    access_log => out </Route> <Route 3>     Path    audit.log => out </Route> <Route 4>     Path    clamd.log => out </Route> <Route 5>     Path    freshclam.log => out </Route> <Route 6>     Path    mysql_error.log => out </Route> <Route 7     Path    mail.log => out </Route> <Route 8>     Path    zimbra.log => out </Route> <Route 9>     Path    syslog => out2 </Route> <Route 10>     Path    zimbra-stats.log => out </Route>  

This should help:

Exec $ShortMessage = $raw_event;
Login to see more