1

I'm trying to use the xm_multiline module with nxlog to forward content of a logfile to logstash The log contains different xml elements which are properly indented (opening and closing elements are located at the start of the line) . E.g.

<data
    version="x"
    xmlns:bla="http://www.example.com/bla">
    <val:InfoSet>
      ...
        ...
          ...
    </val:InfoSet>
</data>

<message  ...>
    <ns>bla</ns>
    ...
        ...
</message>

It don't need to parse the xml in nxlog, just forward each top element (e.g. data or message) to logstash and will then do the xml parsing in logstash.

Because the elements have different names, I can only use < and </ to find the start and end line. I was hoping a filter like this should be enough to select the correct lines:

HeaderLine  /^</
EndLine     /^<//

But somehow nxlog gets confused with the / in the regex pattern for the EndLine and shows this in the log:

ERROR HeaderLine and Endline both match

I tried all sorts of quoting but never got the expected result. Any advice?

Update, I did more testing

Worked

HeaderLine  /^<m/
EndLine     /^</m/

HeaderLine  /^<m/
EndLine     /^<\/m/

HeaderLine  /^<[abcdefghijklm]/
EndLine     /^<\/[abcdefghijklm]/

HeaderLine  /^<[abcdefghijklmo]/
EndLine     /^<\/[abcdefghijklmo]/

HeaderLine  /^<[abcdefghijklmopqrstuvwxyz]/    (left out n)
EndLine     /^<\/[abcdefghijklmopqrstuvwxyz]/

HeaderLine  /^<[abcdefghijklmopqrstuvwxyz]/ (left out n + not escaped
EndLine     /^</[abcdefghijklmopqrstuvwxyz]/

Didn't work:

HeaderLine  /^</
EndLine     /^</m/

HeaderLine  /^<[a-z]/
EndLine     /^</m/

HeaderLine  /^<\w/
EndLine     /^</m/

HeaderLine  /^<[abcdefghijklmn]/
EndLine     /^<\/[abcdefghijklmn]/

HeaderLine  /^<[bcdefghijklmn]/
EndLine     /^<\/[bcdefghijklmn]/

HeaderLine  /^<[abcdefghijklmopqrstuvwxyzn]/  (n at the last position)
EndLine     /^<\/[abcdefghijklmopqrstuvwxyzn]/

HeaderLine  /^<[abcdefghijklmnopqrstuvwxyz]/
EndLine     /^</[abcdefghijklmnopqrstuvwxyz]/
pgs
  • 11
  • 2
  • That would be `/^<\//` – Tomalak Dec 11 '14 at 17:53
  • Thanks @Tomalak, I tried that but it didn't work. – pgs Dec 12 '14 at 12:01
  • Hm, that thing about the `n` is strange (and that not escaping the `/` actually seems to work is strange as well). What about `/<[a-z]/` and `/[a-z]/`? – Tomalak Dec 12 '14 at 14:02
  • tried that but then I get `ERROR HeaderLine and Endline both match`. Same result for `/<[a-z]/` and `/<\/[a-z]/` – pgs Dec 16 '14 at 13:35
  • This is starting to look like a bug in `xm_multiline`'s regex handling, especially when it comes to the backslash. As a work-around, you could try `/^<[a-zA-Z]/` and `/^<[^?a-zA-Z][a-zA-Z]/`, respectively. Since XML node names must start with a letter (I assume ASCII for the sake of simplicity) any `<` followed by "not a letter" and then "a letter" in a well-formed XML file must be a closing tag (I exclude question marks as well, as they introduce processing instructions ``). – Tomalak Dec 16 '14 at 14:57

0 Answers0