Solved: Linebreaker for ESXi Logs

rfiscus · ‎02-18-2019

I am having problems getting the line breaking to work. The below events are showing as one event with the below set in my Props.conf file which is installed on the Indexers.

Feb 18 08:11:04 10.10.10.10 sshd[2910906]: Accepted keyboard-interactive/pam for user@domain from 10.10.10.10 port 54258 ssh2
Feb 18 08:11:04 10.10.10.10 sshd[2910906]: pam_unix(sshd:session): session opened for user user@domain by (uid=0)
Feb 18 08:11:04 10.10.10.10 sshd[2910906]: Session opened for 'user@domain' on /dev/char/pty/t0
Feb 18 08:11:04 10.10.10.10 shell[2910915]: Interactive shell session started
Feb 18 08:11:05 10.10.10.10 vmkernel: cpu39:2098112)NMP: nmp_ResetDeviceLogThrottling:3575: last error status from device mpx.vmhba32:C0:T0:L0 repeated 5 times

[VMware:ESXi]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 15
TZ = CT
KV_MODE = none
ANNOTATE_PUNCT = false
TIME_FORMAT = %b %d %H:%M:%S
LINE_BREAKER = ([\n]+)\w{3}\s.\w\s\w{2}:\w{2}:\w{2}
SHOULD_LINEMERGE = False
TRUNCATE = 750

Any idea why the line breaking is not working?

richgalloway · ‎02-18-2019

Are you sure the line separator is right? Try LINE_BREAKER = ([\r\n]+)\w{3}\s.\w\s\w{2}:\w{2}:\w{2}

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎02-18-2019

Are you sure the line separator is right? Try LINE_BREAKER = ([\r\n]+)\w{3}\s.\w\s\w{2}:\w{2}:\w{2}

---
If this reply helps you, Karma would be appreciated.

rfiscus · ‎02-19-2019

Looks like I was missing the \r for the carriage return, odd because it had been working for a long time, I wonder if VMware changed their log format in 6.5+ of ESXi. Anyhow, thanks for noticing that, works normal again.

Linebreaker for ESXi Logs

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases