Pipeline rule to split log messages into key-value fields not working

Wrong.

The non-optional parsing inside of syslog input will overwrite $message.message when it sees that input. When Extractors and Pipelines get a chance to run $message.message will be equal to "none\". Try it.


Here is an input that triggers this fortigate key_value parsing inside of syslog input:

<185>date=2022-09-01 time=12:34:56 devname="Fortigate" timestamp=1234567890 user="Hello\" message=none " group="N/A"

I set this via netcat to a syslog TCP input and confirmed that this really overwrites $message.mesage
PS: This example uses newline framing for simplicity. Real messages are longer and length-prefixed.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.