Hi,
we have some devices sending messages like this
<190>2019-06-03,17:07:12 [tssh2c_0]hostname: SSH-6-SESSION_LESS:15 the number of Session 1 Channel id 0 in use is not more then zero.
These Messages show on Raw Text Input but not on Syslog Inputs. Maybe this is a problem with date format? Especially with the comma between date and time?
Is there any way to resolve this without Raw Text Input?
Kind regards
Manuel
The Syslog Input needs valid Syslog messages - that includes a proper date format. As you already found that having a comma between date and time isn’t proper syslog the RAW Input is your only hope. Unless you can fix the source sending valid date formats.
@jan
Thanks for your reply. I was afraid it would be so, I only hoped that there is a chance to modify incoming messages before it was parsed.
Another question. Is there a way to parse RAW Messages as Syslog? For example change the Input to RAW and via Rules
if malformed -> manual parsing
else -> parse as syslog
Kind regards
Manuel
I personal would create a RAW input and work with the processing pipelines. That gives you a wide-range of options.
Thanks for your advice,
after reading the docs a bit more, I found a function to parse facility and loglevel (expand-syslog-priority), this was the part I did not know how to do it manually.
Now everything works fine.
Kind regards
Manuel
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
