rsyslog: how to fix the no-line-break issue when receiving CyberArk PAS logs
Issue
-
When
rsyslog
processes logs received from CyberArk PAS 3rd party software,rsyslog
concatenates the logsMay 27 12:27:43 cyberark-system [...]msg=<5>1 2020-05-27T10:26:03Z CYBERARK-SYSTEM CEF:0|Cyber-Ark|Vault|11.1.0000|99|Open File|5|act=Open File suser=XXX fname=[...]
In the example above, a message is processed, it should end with msg= field but the next message is concatenated but not processed as a new syslog message, hence 1 2020... text is appended.
Environment
- Red Hat Enterprise Linux
- rsyslog
- CyberArk PAS 3rd party software
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.