xm_multiline module for Oracle alert.log on AIX System

#1 gfouere 7 years ago

Hello,

I would like to obtain information in alert.log multiple lines for an event but without success. Below, my configuration :

<Extension multiline>

Module xm_multiline

HeaderLine /^\w\w\w\s\w\w\w\s\d\d\s\d\d:\d\d:\d\d\s\d\d\d\d/

</Extension>

<Extension syslog>

Module xm_syslog

</Extension>

<Input aix_syslog>

        Module im_file

        File "/var/log/syslog.out*"

        Exec        to_syslog_bsd();

</Input>

<Input oracle_log_DBA102XX>

        Module      im_file

        InputType   multiline

        File        "/oradata/DBA102XX/admin/trace/bdump/alert_DBA102XX.log"

        Exec        to_syslog_bsd();

        Exec        $SourceName = "DBA102XX";

</Input>

<Output fluent_aix>

        Module om_udp

        Host 172.31.12.104

        Port 5139

</Output>

<Output fluent_oracle>

        Module om_udp

        Host 172.31.12.104

        Port 5127

</Output>

########################################

# Routes #

########################################

<Route 1>

Path aix_syslog => fluent_aix

</Route>

<Route 2>

Path oracle_log_DBA102XX => fluent_oracle

</Route>

Result Fluentd side :

7 Jun 2016 23:21:21     oracle.user.notice      {"host":"xmgpoc01","ident":"Tue","message":"21:21 DFT 2016"}

7 Jun 2016 23:21:21     oracle.user.notice      {"host":"xmgpoc01","ident":"Thread","message":"1 advanced to log sequence 66 (LGWR switch)"}

7 Jun 2016 23:21:21     oracle.user.notice      {"host":"xmgpoc01","ident":"","message":"/oradata/DBA102XX/oraredo01/LOG3A_DBA102XX.ORA"}

7 Jun 2016 23:21:21     oracle.user.notice      {"host":"xmgpoc01","ident":"","message":"/oradata/DBA102XX/oraredo02/LOG3B_DBA102XX.ORA"}

This line "Exec $SourceName = "DBA102XX";" doesn't works, i dont know why.

Thank you for your help.

Permalink

#2 adm Nxlog ✓ 7 years ago

#1 gfouere

Hello, I would like to obtain information in alert.log multiple lines for an event but without success. Below, my configuration : <Extension multiline> Module xm_multiline HeaderLine /^\w\w\w\s\w\w\w\s\d\d\s\d\d:\d\d:\d\d\s\d\d\d\d/ </Extension> <Extension syslog> Module xm_syslog </Extension> <Input aix_syslog> Module im_file File "/var/log/syslog.out*" Exec to_syslog_bsd(); </Input> <Input oracle_log_DBA102XX> Module im_file InputType multiline File "/oradata/DBA102XX/admin/trace/bdump/alert_DBA102XX.log" Exec to_syslog_bsd(); Exec $SourceName = "DBA102XX"; </Input> <Output fluent_aix> Module om_udp Host 172.31.12.104 Port 5139 </Output> <Output fluent_oracle> Module om_udp Host 172.31.12.104 Port 5127 </Output> ######################################## # Routes # ######################################## <Route 1> Path aix_syslog => fluent_aix </Route> <Route 2> Path oracle_log_DBA102XX => fluent_oracle </Route> Result Fluentd side : 7 Jun 2016 23:21:21 oracle.user.notice {"host":"xmgpoc01","ident":"Tue","message":"21:21 DFT 2016"} 7 Jun 2016 23:21:21 oracle.user.notice {"host":"xmgpoc01","ident":"Thread","message":"1 advanced to log sequence 66 (LGWR switch)"} 7 Jun 2016 23:21:21 oracle.user.notice {"host":"xmgpoc01","ident":"","message":"/oradata/DBA102XX/oraredo01/LOG3A_DBA102XX.ORA"} 7 Jun 2016 23:21:21 oracle.user.notice {"host":"xmgpoc01","ident":"","message":"/oradata/DBA102XX/oraredo02/LOG3B_DBA102XX.ORA"} This line "Exec $SourceName = "DBA102XX";" doesn't works, i dont know why. Thank you for your help.

        Exec        to_syslog_bsd();
        Exec        $SourceName = "DBA102XX";

In the above case setting $SourceName does not have any effect because the syslog conversion took place already so you need to do it in the reverse order by setting the field first:

        Exec        $SourceName = "DBA102XX";  to_syslog_bsd();

Regarding the multiline input you probably need to tune the regular expression specified in HeaderLine, without an input sample it's hard to tell what is wrong.