0

Forwarding windows events using NXLog to JSON format. The problem is that now and then, the JSON message becomes too large/long for the receiving system.

Is there a way to limit/truncate the JSON outputted from NXLog without breaking the JSON?

I have tried to work only on the $Message part, here trying to truncate it at 20 characters... but that doesn't work (infinite loop).

Exec $Message =~ s/^(.{1,20}).*$/$1/g;

Tessem
  • 149
  • 1
  • 9

1 Answers1

1

This is usually caused by $Message (or $raw_event) being too large like you said. Instead of a regexp I suggest using the substr() function to truncate the data:

Exec $Message = substr($Message, 0, 20);
b0ti
  • 2,319
  • 1
  • 18
  • 18
  • Thanks. So can I use the length of raw_event to know how much (little) to remove from message to loose least possible of a total JSON maximum length? – Tessem Sep 20 '17 at 12:20