VMware Cloud Community
BalaKishore
Contributor
Contributor
‎10-29-2009 01:30 AM

mutliline syslog event error

Hi,

I am using Syslog ESXi. i am configuring ESXi to route events to kiwi syslog.

when event are routed single event like below gets logged into three lines.

Original Event:

Message from ESXiEcosystem.ca.com: The Microsoft Windows XP product activation feature creates a key based on the virtual

hardware in the virtual machine where it is installed. Changes in the virtual machine configuration may require you to

reactivate the guest operating system. To minimize those changes, be sure to set the final memory size for the virtual

machine and install VMware Tools before you activate Windows XP. For more information about Windows XP product activation

and virtual machines see our Web site at "http://www.vmware.com/info?id=2".

2009-10-29 11:55:53 Local4.Info 155.35.29.237 Oct 29 18:55:36 Hostd: 2009-10-29 18:55:36.507 17CA7B90 info 'ha-eventmgr' Event 73 : Message on winxp on ESXiEcosystem.ca.com in ha-datacenter: The Microsoft Windows XP product activation feature creates a key based on the virtual hardware in the

2009-10-29 11:55:53 Local7.Debug 155.35.29.237 virtual machine where it is installed. Changes in the virtual machine configuration may require you to reactivate the guest operating system. To minimize those changes, be sure to set the final memory size for the virtual machine and install VMware Tools

2009-10-29 11:55:53 Local7.Debug 155.35.29.237 before you activate Windows XP.<010>For more information about Windows XP product activation and virtual machines see our Web site at "http://www.vmware.com/info?id=2".

please let me know how these events can be routed as single event..

Thanks.

Reply
0 Kudos
6 Replies
DSTAVERT
Immortal
Immortal
‎10-29-2009 07:13 AM

That is the job of the log server. It is very difficult sometimes to get a log server set up to capture a log stream correctly. Have a look through the KIWI docs to see what configuration settings you might have. You may need to choose another syslog server.

-- David -- VMware Communities Moderator
Reply
0 Kudos
BalaKishore
Contributor
Contributor
‎10-29-2009 10:45 AM

Hi,

Thanks for your reply. I even tried with other syslog server. events are getting logged the same way. please let me , if any setting needed to be done at ESXi or linux syslog server that allows server to log whole message.

please clarify me, whether syslog can route multiple line events

Thanks

BalaKishore G

Reply
0 Kudos
DSTAVERT
Immortal
Immortal
‎10-29-2009 11:18 AM

It depends on the syslog server to break up the message based on the format of the stream. Even though this looks like a big bunch of random, text there is a format to it. There are in fact fields. The time and date stamps are the first fields and the rest is separated by some other delimiter. You need a syslog server that allows you to configure how the stream is split. Look for something like RFC 3164 headers in the configuration.

-- David -- VMware Communities Moderator
Reply
0 Kudos
mcowger
Immortal
Immortal
‎10-29-2009 11:26 AM

RFC 3164 states that legal Syslog messages may not exceed 1024 bytes in length.

That being said, it looks like your host is splitting things up into 255 byte chunks - you'd have to sniff the traffic to figure out if the syslog server or sender is doin the split.






--Matt

VCP, vExpert, Unix Geek

--Matt VCDX #52 blog.cowger.us
Reply
0 Kudos
DSTAVERT
Immortal
Immortal
‎10-29-2009 11:26 AM

Something you should be thinking about here, is the purpose of your logging. Not all events are worth logging and those can be filtered out. If you are looking for something in particular then see what do to just capture those events. You can consider just capturing events of a particular level say critical or error level events or . . . .

-- David -- VMware Communities Moderator
Reply
0 Kudos
BalaKishore
Contributor
Contributor
‎10-29-2009 12:02 PM

Thanks for your replies.

Reply
0 Kudos