Looks like the device is doing something fundamentally wrong ;-) There is experimental support for "framing.delimiter.regex" param in imptcp, which probably gets you going. Doc:
https://www.rsyslog.com/doc/v8-stable/configuration/modules/imptcp.html The invalid programname is harder. mmnormalize could possibly do the trick, as well as some very unintuitive script sequences. It's probably best addressed by writing a custom parser (that's what they are for). Rainer El vie, 9 jul 2021 a las 18:26, Daniel Pocock via rsyslog (<[email protected]>) escribió: > > > I've configured a Polycom device to send Syslog events to rsyslog > > I tried both UDP and TCP > > There is an unrelated issue, Polycom devices use port 1468 for TCP so > rsyslog has to listen on that port. > > When the Polycom device sends a multi-line event, such as a copy of a > SIP message, it sends each line as a separate event. Example below. > > Can rsyslog combine all the lines into a single event before sending to > omelasticsearch? > > Another problem, for the example below, rsyslog sets programname = > "0709181702|sip". For this particular device, I think programname="sip" > would be correct. Is it possible to limit the programname field to use > characters after the "|" symbol? > > > 0709181702|sip |0|03|<<< Data received TLS > 0709181702|sip |0|03| SIP/2.0 480 Transport failure: no transports > left to try > 0709181702|sip |0|03| Via: SIP/2.0/TLS > 10.1.2.117:35098;branch=z9hG4bKbf166410B3A124A3;alias > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
