#logstash

Hi, How are you all? Currently working with logstash with an input rabbitmq with a "codec => plain{charset => "ISO-8859-1"}" and an xml parse "xml { store_xml => false remove_namespaces => true source => "Message" xpath => [ "/TraceMessage/Message/text()", "msg_message", "/TraceMessage/ExceptionType/text()", "msg_exceptionType", "/TraceMessage/StackTrace/text()", "msg_stackTrace", "/TraceMessag

but it seems to be failing

any ideas?

after going through logstash it looks like this {"message":"\b?\u0010\u0010\u0018Ԋ\u0003\"•\u0005<?xml version=\"1.0\" encoding=\"utf-16\"?>\r\n<TraceMessage xmlns (message continues)

Hello, here is a snippet of my rsyslog filter, and the resulting json event. I am trying to figure out why "yum_cmd", "yum_pkg", and "message" are all recieving duplicate values.

Title: Paste #0cd - Apache Paste Bucket (at apaste.info)

My goal is to capture normal syslog traffic, and then if the event happens to be from the program yum, to index deeper

socket--: i find that GREEDYDATA anywhere but the end of a pattern usually screws me up. Not saying that's your cause, but it's the quick thing that jumps out at me.

socket--: what rastro said, plus there's backtracking which is horrible for performance

socket--: I'd try this: http://apaste.info/z8Z

Title: Paste #z8Z - Apache Paste Bucket (at apaste.info)

thanks, testing now

great, that works! Iv never heard of backtracking, im guessing thats when you overwrite message with a new message rather than giving it a unique field like content

I have a centralized rsyslog server. Its now also forwarding to logstash on localhost. Sysloghost is the correct hostname, but the host field is now 127.0.0.1 for all nodes. What is the best way to preserve the host ip from the origianl message?