Mailing List Archive: handling multi-line events submitted line-by-line

I've configured a Polycom device to send Syslog events to rsyslog

I tried both UDP and TCP

There is an unrelated issue, Polycom devices use port 1468 for TCP so
rsyslog has to listen on that port.

When the Polycom device sends a multi-line event, such as a copy of a
SIP message, it sends each line as a separate event. Example below.

Can rsyslog combine all the lines into a single event before sending to
omelasticsearch?

Another problem, for the example below, rsyslog sets programname =
"0709181702|sip". For this particular device, I think programname="sip"
would be correct. Is it possible to limit the programname field to use
characters after the "|" symbol?

0709181702|sip |0|03|<<< Data received TLS
0709181702|sip |0|03| SIP/2.0 480 Transport failure: no transports
left to try
0709181702|sip |0|03| Via: SIP/2.0/TLS
10.1.2.117:35098;branch=z9hG4bKbf166410B3A124A3;alias
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Looks like the device is doing something fundamentally wrong ;-)

There is experimental support for "framing.delimiter.regex" param in
imptcp, which probably gets you going. Doc:

https://www.rsyslog.com/doc/v8-stable/configuration/modules/imptcp.html

The invalid programname is harder. mmnormalize could possibly do the
trick, as well as some very unintuitive script sequences. It's
probably best addressed by writing a custom parser (that's what they
are for).

Rainer

El vie, 9 jul 2021 a las 18:26, Daniel Pocock via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
>
> I've configured a Polycom device to send Syslog events to rsyslog
>
> I tried both UDP and TCP
>
> There is an unrelated issue, Polycom devices use port 1468 for TCP so
> rsyslog has to listen on that port.
>
> When the Polycom device sends a multi-line event, such as a copy of a
> SIP message, it sends each line as a separate event. Example below.
>
> Can rsyslog combine all the lines into a single event before sending to
> omelasticsearch?
>
> Another problem, for the example below, rsyslog sets programname =
> "0709181702|sip". For this particular device, I think programname="sip"
> would be correct. Is it possible to limit the programname field to use
> characters after the "|" symbol?
>
>
> 0709181702|sip |0|03|<<< Data received TLS
> 0709181702|sip |0|03| SIP/2.0 480 Transport failure: no transports
> left to try
> 0709181702|sip |0|03| Via: SIP/2.0/TLS
> 10.1.2.117:35098;branch=z9hG4bKbf166410B3A124A3;alias
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.