The following format is expected via Fluentd per Fluentd's website:
expression /\A^\[0-9]{1,3})\>[1-9]\d{0,2} (?[^ ]+) (?[^ ]+) (?[^ ]+) (?[-0-9]+) (?[^ ]+) (?(\[(.*)\]|[^ ])) (?.+)$\z/
time_format "%Y-%m-%dT%H:%M:%S.%L%z"
The problem is that in the extradata part there exist brackets ( [ ] ) which can cause issues with log formatting.
The following template solves the issue of the malformed message:
template('1 $ISODATE $HOST $PROGRAM $PID $MSGID $SDATA \"${MSG}\"\n')
Using additional double quotation marks around the ${MSG} the issue is able to be resolved.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center