Hi folks,
I have a problem with Splunk forwarder on my centralize rsyslog server, exactly it's with the maillog events, I have few incomplete lines!
I know why but I don't know how to fix it.
A quick overview of my infrastructure: All Linux servers send logs to my rsyslog server using the syslog protocol, my configuration on the rsyslog server:
$DynaFileCacheSize 100
$EscapeControlCharactersOnReceive on
$template PerHostFacility,"/var/log/syslog/%fromhost%/%fromhost%-%$year%%$month%%$day%-%syslogfacility-text%.log"
*.* ?PerHostFacility
I can see the problem when I use the command tail -f on log file, data is transmitted by blocks but the last line is cut in half. The second half is sent with the next block of data.
$ tail -f /var/log/syslog/cpt-smtp03l-p/cpt-smtp03l-p.domaine.com-20170206-mail.log
[ ... OUTPUT... ]
Feb 6 14:44:19 cpt-smtp03l-p postfix/smtp[9188]: EBD7C601DB: to=<an_email_addr@consultantsbch.com>, relay=remote.groupecdl.ca[24.xx.xxx.74]:25, delay=2.9, delays=0.12/0/0.1
2/2.7, dsn=2.6.0, status=sent (250 2.6.0 <1567a59e-3f5f-4cc6-97f8-b772a7d087da@SERVEUR.cdl.local> Queued mail for delivery)
Feb 6 14:44:19 cpt-smtp03l-p postfix/smtp[9180]: 69F33601D8: to=<a_user_mail_adrr@consultantsbch[END OF FIRST RECEIVED].com>, relay=remote.groupecdl.ca[24.xx.xxx.74]:25, delay=3.4, delays=0.07/0/0.3/3.1, dsn=2.6.0, status=sent (250 2.6.0 <ae1861d1-43dc-491d-917e-9fb041d23dc8@SERVEUR.cdl.local> Queued mail for delivery)
So at the line was write at the first time :
- Feb 6 14:44:19 cpt-smtp03l-p postfix/smtp[9180]: 69F33601D8: to=, relay=remote.groupecdl.ca[24.xx.xxx.74]:25, delay=3.4, delays=0.07/0/0.3/3.1, dsn=2.6.0, status=sent (250 2.6.0 Queued mail for delivery)
but in Splunk I saw the incomplete line :
Here my configuration for the input definition :
[monitor:///var/log/syslog]
blacklist = .*\.(tar|zip|gz)$
disabled = false
host_segment = 4
ignoreOlderThan = 2d
index = ti-mail
initCrcLength = 512
#sourcetype = smtp-log
sourcetype = postfix_syslog
#multiline_event_extra_waittime = true
whitelist = ^.*smtp.*mail\.log.*$
I tried many things like LINE_MERGE and LINE_BREAKER but I'm actually lost, nothing worked. I don't need real time file tracking so if I can tell to Splunk don't read the last "incomplete" line it's good enough, it can read it at the second time ...
Do you have anyway idea? Do you need more data I forgot to provide?
Thanks for you help
... View more