File contents are tricky, since they're not always standard. Also they're too big to post. Suffice to say, they consist of a bunch of various system output, with one section being dedicated to system logs as I explained above, always following this format:
1/1/2015 12:34:56 <Log header> Log text.
inputs.conf is (plus one stanza seting SSL password, rootCA, serverCert):
[tcp://port#]
connection_host = dns
index = myindex
sourcetype = my-type
[tcp-ssl:sslport#]
index = myindex
sourcetype = my-type
I've masked these slightly. The sourcetype is unique to these inputs.
props.conf is (some of these files are really big -- 100,000+ lines)
[default]
TRUNCATE = 0
MAX_EVENTS = 150000
I'm not setting LINE_BREAKER or SHOULD_LINEMERGE. SHOULD_LINEMERGE defaults to true in the system/default/props.conf, of course.
... View more