Log message in nagios dashboard

[uma K]

Hi,
I have passed Linux logs through rsyslog configuration.
But before my every message line, I have these details printing. I would like to remove this and print only the exact log message.

Below is the exact log message im looking for. Attached is the log message that I receive in Nagios dashboard

2018-12-12 12:18:31,243 ERROR [http-nio-8080-exec-1130] - [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] - AN Web Service Invocation Exception has been thrown, while invoking the web service
org.springframework.ws.soap.client.SoapFaultClientException: Internal Error
at org.springframework.ws.soap.client.core.SoapFaultMessageResolver.resolveFault(SoapFaultMessageResolver.java:37) ~[spring-ws-2.0.0.RELEASE-all.jar:2.0.0.RELEASE]
at org.springframework.ws.client.core.WebServiceTemplate.handleFault(WebServiceTemplate.java:733) ~[spring-ws-2.0.0.RELEASE-all.jar:2.0.0.RELEASE]
at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:559) ~[spring-ws-2.0.0.RELEASE-all.jar:2.0.0.RELEASE]
at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:496) ~[spring-ws-2.0.0.RELEASE-all.jar:2.0.0.RELEASE]
at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:343) ~[spring-ws-2.0.0.RELEASE-all.jar:2.0.0.RELEASE]

[mcapra]

Multi-line logs are a pain to deal with.

rsyslog is appending the pri and timestamp to each log line prior to shipping the message. There's ways to deal with that and they all assume a good understanding of both Logstash and rsyslog.

Here's a writeup I did over a year ago on the topic:
https://support.nagios.com/forum/viewto ... 36#p220200

You can probably ignore a lot of that and stick to just removing the pri+timestamp from your rsyslog message template, which is done as a proof-of-concept (eg it will not work with a simple copy+paste) here:

Code: Select all

$ModLoad imfile 
$InputFilePollInterval 10 
$PrivDropToGroup adm 
$WorkDirectory /var/lib/rsyslog 

# Input for Broadsoft_Audit_Log 
$InputFileName /var/log/broadsoft/AuditLog2017.02.04­16.10.16.txt 
$InputFileTag Broadsoft_Audit_Log
$InputFileStateFile nls­state­var_log_broadsoft_AuditLog2017.02.04­16.10.16.txt # Must be unique for each file being polled 
# Uncomment the folowing line to override the default severity for messages 
# from this file. 
#$InputFileSeverity info 
$InputFilePersistStateInterval 20000 
$InputRunFileMonitor 
$template clean,"%rawmsg%" 

# Forward to Nagios Log Server and then discard, otherwise these messages 
# will end up in the syslog file (/var/log/messages) unless there are other 
# overriding rules. 
if $programname == 'Broadsoft_Audit_Log' then @@192.168.67.4:2092;clean 
if $programname == 'Broadsoft_Audit_Log' then ~

The magic is in the clean template definition, which gets applied to the rsyslog remote server block (@@192.168.67.4:2092;clean). Note that your Logstash input rules will still need to have an appropriate multiline codec established, but it looks like you've already figured that part out.

[cdienger]

Thanks @mcapra!

This is also covered in a kb: https://support.nagios.com/kb/article/n ... g-727.html

[uma K]

Hi I have tried adding $template clean,"%rawmsg%" to my configuration.
But still the same.

Could you please help

[cdienger]

It will only apply to new data and old data will still have the display issue. It's also necessary to restart rsyslogd after making the configuration changes.

Configuration issues can be seen if you run the following:

rsyslogd -N 1

Please provide a copy of the rsyslog config if the above doesn't help resolve the issue.