I am having a custom log file which i need to send to remote server with start and end tags.
My log file:
<exclusive-start
1
<exclusive-end
<exclusive-start
2
<exclusive-end
assdaddas
<exclusive-start
3
<exclusive-end
My rsyslog.conf file:
module(load = "imfile")
input(
type = "imfile"
file = "/opt/splunk/other/rsysloginput/gc-log.log"
Tag = "gclog"
addMetadata="on"
escapelf="off"
startmsg.regex="^<exclusive-start"
endmsg.regex="^<exclusive-end"
)
:programname, contains, "gclog" /opt/splunk/other/rsysloginput/gcfilteroutput.log
So in same server, my output log shows as below which is correct, each multiline message as single message:
Oct 11 11:43:40 lla10703 gclog <exclusive-start
1
<exclusive-end
Oct 11 11:44:40 lla10703 gclog <exclusive-start
2
<exclusive-end
assdaddas
Oct 11 11:44:40 lla10703 gclog <exclusive-start
3
<exclusive-end
Now the same code when forwarded to remote server as below:
*.* action(type="omfwd" target="11.245.4.12" port="10514" protocol="tcp"
action.resumeRetryCount="100"
queue.type="linkedList" queue.size="10000")
Then multiline message is splitting into single message for every line.
Oct 11 16:05:33 lla10703 gclog <exclusive-start#015
Oct 11 16:05:33 lla10701 rsyslogd: Framing Error in received TCP message: delimiter is not SP but has ASCII value 13. [v8.24.
Oct 11 16:05:35 lla10703.amberroad.com #012<exclusive-end#015#012<
Oct 11 16:05:00 lla10703.amberroad.com
Oct 11 16:05:35 lla10703 journal: No devices in use
Oct 11 16:05:35 lla10703.amberroad.com , exit
Kindly let me know how to overcome this issue?
