ESXi

 View Only
  • 1.  mutliline syslog event error

    Posted Oct 29, 2009 08:30 AM

    Hi,

    I am using Syslog ESXi. i am configuring ESXi to route events to kiwi syslog.

    when event are routed single event like below gets logged into three lines.

    Original Event:

    Message from ESXiEcosystem.ca.com: The Microsoft Windows XP product activation feature creates a key based on the virtual

    hardware in the virtual machine where it is installed. Changes in the virtual machine configuration may require you to

    reactivate the guest operating system. To minimize those changes, be sure to set the final memory size for the virtual

    machine and install VMware Tools before you activate Windows XP. For more information about Windows XP product activation

    and virtual machines see our Web site at "http://www.vmware.com/info?id=2".

    2009-10-29 11:55:53 Local4.Info 155.35.29.237 Oct 29 18:55:36 Hostd: 2009-10-29 18:55:36.507 17CA7B90 info 'ha-eventmgr' Event 73 : Message on winxp on ESXiEcosystem.ca.com in ha-datacenter: The Microsoft Windows XP product activation feature creates a key based on the virtual hardware in the

    2009-10-29 11:55:53 Local7.Debug 155.35.29.237 virtual machine where it is installed. Changes in the virtual machine configuration may require you to reactivate the guest operating system. To minimize those changes, be sure to set the final memory size for the virtual machine and install VMware Tools

    2009-10-29 11:55:53 Local7.Debug 155.35.29.237 before you activate Windows XP.<010>For more information about Windows XP product activation and virtual machines see our Web site at "http://www.vmware.com/info?id=2".

    please let me know how these events can be routed as single event..

    Thanks.



  • 2.  RE: mutliline syslog event error

    Posted Oct 29, 2009 02:14 PM

    That is the job of the log server. It is very difficult sometimes to get a log server set up to capture a log stream correctly. Have a look through the KIWI docs to see what configuration settings you might have. You may need to choose another syslog server.



  • 3.  RE: mutliline syslog event error

    Posted Oct 29, 2009 05:46 PM

    Hi,

    Thanks for your reply. I even tried with other syslog server. events are getting logged the same way. please let me , if any setting needed to be done at ESXi or linux syslog server that allows server to log whole message.

    please clarify me, whether syslog can route multiple line events

    Thanks

    BalaKishore G



  • 4.  RE: mutliline syslog event error

    Posted Oct 29, 2009 06:19 PM

    It depends on the syslog server to break up the message based on the format of the stream. Even though this looks like a big bunch of random, text there is a format to it. There are in fact fields. The time and date stamps are the first fields and the rest is separated by some other delimiter. You need a syslog server that allows you to configure how the stream is split. Look for something like RFC 3164 headers in the configuration.



  • 5.  RE: mutliline syslog event error

    Posted Oct 29, 2009 06:26 PM

    RFC 3164 states that legal Syslog messages may not exceed 1024 bytes in length.

    That being said, it looks like your host is splitting things up into 255 byte chunks - you'd have to sniff the traffic to figure out if the syslog server or sender is doin the split.






    --Matt

    VCP, vExpert, Unix Geek



  • 6.  RE: mutliline syslog event error

    Posted Oct 29, 2009 07:03 PM

    Thanks for your replies.



  • 7.  RE: mutliline syslog event error

    Posted Oct 29, 2009 06:27 PM

    Something you should be thinking about here, is the purpose of your logging. Not all events are worth logging and those can be filtered out. If you are looking for something in particular then see what do to just capture those events. You can consider just capturing events of a particular level say critical or error level events or . . . .