You Rock !!!
Time_before_close was a "good" work around but at 300 seconds it's a little bit heavy 😛 .
I change my rsyslog's configuration I switched to off ActionFileEnableSync off , now the log file is ok , lines are complete when rsyslog write the file .
THANKS a lot for you help !!!
... View more
First thanks for your answer ,
Yesterday I found the option time_before_close I tried :
60 seconds : same errors
120 seconds : same errors , less often
300 seconds : well that's not cool , but I don't need real-time logs for now.
But I'm ok with you I'm pretty sure the problem must be with rsyslog , see below my configuration :
$ cat rsyslog.conf | grep -v ^# | grep -v ^$
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
And include files :
$ cat listen.conf | grep -v ^# | grep -v ^$
I tried to keep it simple , but maybe I miss something
Thanks again for you HELP 😄
... View more
I have a problem with Splunk forwarder on my centralize rsyslog server, exactly it's with the maillog events, I have few incomplete lines!
I know why but I don't know how to fix it.
A quick overview of my infrastructure: All Linux servers send logs to my rsyslog server using the syslog protocol, my configuration on the rsyslog server:
I can see the problem when I use the command tail -f on log file, data is transmitted by blocks but the last line is cut in half. The second half is sent with the next block of data.
$ tail -f /var/log/syslog/cpt-smtp03l-p/cpt-smtp03l-p.domaine.com-20170206-mail.log
[ ... OUTPUT... ]
Feb 6 14:44:19 cpt-smtp03l-p postfix/smtp: EBD7C601DB: to=<email@example.com>, relay=remote.groupecdl.ca[24.xx.xxx.74]:25, delay=2.9, delays=0.12/0/0.1
2/2.7, dsn=2.6.0, status=sent (250 2.6.0 <1567a59e-3f5f-4cc6-97f8-b772a7d087da@SERVEUR.cdl.local> Queued mail for delivery)
Feb 6 14:44:19 cpt-smtp03l-p postfix/smtp: 69F33601D8: to=<a_user_mail_adrr@consultantsbch[END OF FIRST RECEIVED].com>, relay=remote.groupecdl.ca[24.xx.xxx.74]:25, delay=3.4, delays=0.07/0/0.3/3.1, dsn=2.6.0, status=sent (250 2.6.0 <ae1861d1-43dc-491d-917e-9fb041d23dc8@SERVEUR.cdl.local> Queued mail for delivery)
So at the line was write at the first time :
- Feb 6 14:44:19 cpt-smtp03l-p postfix/smtp: 69F33601D8: to=, relay=remote.groupecdl.ca[24.xx.xxx.74]:25, delay=3.4, delays=0.07/0/0.3/3.1, dsn=2.6.0, status=sent (250 2.6.0 Queued mail for delivery)
but in Splunk I saw the incomplete line :
Here my configuration for the input definition :
blacklist = .*\.(tar|zip|gz)$
disabled = false
host_segment = 4
ignoreOlderThan = 2d
index = ti-mail
initCrcLength = 512
#sourcetype = smtp-log
sourcetype = postfix_syslog
#multiline_event_extra_waittime = true
whitelist = ^.*smtp.*mail\.log.*$
I tried many things like LINE_MERGE and LINE_BREAKER but I'm actually lost, nothing worked. I don't need real time file tracking so if I can tell to Splunk don't read the last "incomplete" line it's good enough, it can read it at the second time ...
Do you have anyway idea? Do you need more data I forgot to provide?
Thanks for you help
... View more