nicktank
commented
3 years ago @car1eyr0sato - I think this one is for you, how have you seen websphere logs ingested into Logstream?
Open rolltidega opened 3 years ago
nicktank
commented
3 years ago @car1eyr0sato - I think this one is for you, how have you seen websphere logs ingested into Logstream?
car1eyr0sato
commented
3 years ago IBM MQ logs require event breaking that does not use traditional new line breakers in Syslog messages. If you are sending via TCP, you may be able to configure using the Raw TCP source to add a custom event breaker on ingest. If UDP is being used and the log is being chunked into multiple events, try enabling "single msg per udp" under Advanced Settings in the Syslog source.
Will add this information directly into the pack Readme as guidance for configuring!
nicktank
commented
3 years ago With the new event breaker function coming out in the next version of LogStream, you can create a single message then add an event breaker in a pre-processing pipeline for this specific source while reusing the syslog source.
I am curious how you are pulling in the Websphere logs from the IBM mainframe? Are you sending it via syslog or some other method? I assume you have something for testing and building this pack.
Websphere is the logs that I cannot get to come in properly with Cribl so if there is a different method than syslog, I am very curious on how to source it.
Thanks!