我有一个自定义日志文件,需要将其连同开始和结束标签一起发送到远程服务器。
我的日志文件:
<exclusive-start
1
<exclusive-end
<exclusive-start
2
<exclusive-end
assdaddas
<exclusive-start
3
<exclusive-end
我的 rsyslog.conf 文件:
module(load = "imfile")
input(
type = "imfile"
file = "/opt/splunk/other/rsysloginput/gc-log.log"
Tag = "gclog"
addMetadata="on"
escapelf="off"
startmsg.regex="^<exclusive-start"
endmsg.regex="^<exclusive-end"
)
:programname, contains, "gclog" /opt/splunk/other/rsysloginput/gcfilteroutput.log
因此,在同一台服务器中,我的输出日志显示如下,这是正确的,每条多行消息作为单条消息:
Oct 11 11:43:40 lla10703 gclog <exclusive-start
1
<exclusive-end
Oct 11 11:44:40 lla10703 gclog <exclusive-start
2
<exclusive-end
assdaddas
Oct 11 11:44:40 lla10703 gclog <exclusive-start
3
<exclusive-end
现在转发到远程服务器时相同的代码如下:
*.* action(type="omfwd" target="11.245.4.12" port="10514" protocol="tcp"
action.resumeRetryCount="100"
queue.type="linkedList" queue.size="10000")
然后将多行消息拆分成每行一条消息。
Oct 11 16:05:33 lla10703 gclog <exclusive-start#015
Oct 11 16:05:33 lla10701 rsyslogd: Framing Error in received TCP message: delimiter is not SP but has ASCII value 13. [v8.24.
Oct 11 16:05:35 lla10703.amberroad.com #012<exclusive-end#015#012<
Oct 11 16:05:00 lla10703.amberroad.com
Oct 11 16:05:35 lla10703 journal: No devices in use
Oct 11 16:05:35 lla10703.amberroad.com , exit
请告诉我如何解决这个问题?