4
responses

Hello. I have a question.

I get multiline messages

how can I combine into a single line, multiline message ??

for example this message, In this message 4 lines

Jul 21 17:59:10 <14> 1 2016-07-04T00: 53: 02.000000 + 03: 00 node = sec-sflow type = SYSCALL msg = audit (1467579182.055: 3248181): arch = 111

2 syscall = success = yes exit = 4 a0 = 7fc7783127a8 a1 = 2 a2 = a3 = 0 8 items = 1 ppid = 11013 pid = 30363 auid = 0 0 uid = gid = 0 = 0 euid

suid = 0 fsuid = 0 = 0 egid sgid = 0 = 0 fsgid tty = (none) ses = 28 comm = "sshd"

exe = "/ usr / sbin / sshd" key = "root_action"

Thank!

AskedJanuary 25, 2017 - 12:39pm

Answer (1)

It would be probably the best to configure your syslog daemon to remove linebreaks when it writes the file.

Otherwise I suggest reading the fine manual about xm_multiline, there are a couple examples as well.

Comments (3)

  • toreno93's picture

    Sure, but need use multiline. My nxlog.conf

    <Extension multiline>
        Module      xm_multiline                                                            
        HeaderLine /^\w+\s+\d+\s+\d+:\d+:\d:\s+<\d+>/                                                                                     
    </Extension>

    <Input in>
        Module      im_file                                                                    
        File "/tmp/nxlog/multiline.txt"                                                        
        ReadFromLast FALSE                                                                    
        SAVEPOS FALSE                                                                        
        InputType multiline

    </Input>

     

    Input message:

    Jul 21 17:59:10 <14> 1 2016-07-04T00: 53: 02.000000 + 03: 00 node = sec-sflow type = SYSCALL msg = audit (1467579182.055: 3248181): arch = 111

    2 syscall = success = yes exit = 4 a0 = 7fc7783127a8 a1 = 2 a2 = a3 = 0 8 items = 1 ppid = 11013 pid = 30363 auid = 0 0 uid = gid = 0 = 0 euid

    suid = 0 fsuid = 0 = 0 egid sgid = 0 = 0 fsgid tty = (none) ses = 28 comm = "sshd"

    exe = "/ usr / sbin / sshd" key = "root_action"

     

    Output Message:

    Jul 21 17:59:10 <14> 1 2016-07-04T00: 53: 02.000000 + 03: 00 node = sec-sflow type = SYSCALL msg = audit (1467579182.055: 3248181): arch = 111
    2 syscall = success = yes exit = 4 a0 = 7fc7783127a8 a1 = 2 a2 = a3 = 0 8 items = 1 ppid = 11013 pid = 30363 auid = 0 0 uid = gid = 0 = 0 euid
    suid = 0 fsuid = 0 = 0 egid sgid = 0 = 0 fsgid tty = (none) ses = 28 comm = "sshd"
    exe = "/ usr / sbin / sshd" key = "root_action"

     

    Not different !!

    Please tell me how i solve this problem ?

    I need get message in single line.

  • b0ti's picture
    (NXLog)

    Internally it becomes one event record when xm_multiline processes it but when you write it out into a file it will look the same unless you remove the linebreaks with e.g. this:

    Exec $raw_event = replace($raw_event, "\n", " ");