Why $ShortMessage & Why truncation?
I'm using the OutputType GELF_TCP my questions are
1) Why nxlog sends short_message field and not the message field?
2) Why nxlog is truncating the log content to 65 char?
I can fix it by using the following Exec directive but why this at the first place?
Exec $ShortMessage = $raw_event
Output Config
##########
<Output default_out>
Module om_tcp
Host 10.30.0.85
Port 12203
OutputType GELF_TCP
</Output>
Now, with this config the event record I receive on the receiving end at 10.30.0.85 is following
{
"version": "1.1",
"_EventReceivedTime": "2018-08-03 16:08:08",
"_SourceModuleName": "dnsDebug_in",
"_SourceModuleType": "im_file",
"host": "srvr2012",
"short_message": "3/08/2018 4:07:12 PM 04C4 PACKET 00000039F019C100 UDP Rcv 10.30",
"timestamp": 1533276488,
"level": 6
}
- Why nxlog sends short_message field and not the message field?
The GELF spec says that short_message
MUST be set.
- Why nxlog is truncating the log content to 65 char?
Because it must be short. :)
If the question is about not getting the whole event in your Graylog then I guess you might want to use either of the following:
Exec $FullMessage = $raw_event;
or Exec $Message = $raw_event;