So pulling data from a VMware VCSA directly into Graylog. The input is “Syslog TCP”, similar settings on the VCSA appliance. Logs are coming in fine however, numerous ones are being fragmented into multiple broken events.
I’m pretty certain this is being caused by the “new entry on new line” code for Graylog, which I find odd since the Syslog TCP protocol (SyslogProtocol23Format) begins every new line with a
<syslog ID>. I’ve validated this via Wireshark, where the single event was on a single line in Wireshark but when copied out of it I can visibly see the line break. This shows up as an 0a in hex (linefeed character).
<14>1 2019-04-26T13:18:12.119920-05:00 XXXX vpxd 4670 - - Event  [1-1] [2019-04-26T18:18:12.119587Z] [vim.event.PermissionUpdatedEvent] [info] [VSPHERE.LOCAL\XXXX]   [Permission changed for 'XXXX' on 'Datacenters'. Role changed from 'Read-only' to role 'Administrator'. Propagate changed from 'Enabled' to 'Enabled'.]
The documents say that properly formatted rsyslog entries should work flawlessly on Graylog. Am I missing something here to prevent these entries from being cut up? Any easy answers out there that doesn’t involve a man in the middle? Can a pipe strip linefeeds before it reaches the stream?