Raw incoming data

I am collecting logs using VMware's Log Insight. Some of these are being forwarded by syslog out to a Kiwi Server.

The Kiwi server is showing the sources for all events as the LI server. This is correct but apparently VRLI adds the original source to the log and that just needs to be read. Problem is I don't see it in the Kiwi display or the text logs.

Is there a way to view the raw data coming in to kiwi and equally a way to then get any extra data out of the incoming message?

For syslog and RAW, the source is the Log Forwarder's vRealize Log Insight instance IP address. Also, the message text contains _li_source_path which points to the initial sender's IP address.

Find more posts tagged with

Accepted answers

All comments

kstone

Can you write that log to a file from VMware to see the contents? If it's a standard syslog message Kiwi should not be omitting anything. Another suggestion is to look at the max message size configured in you KSS instance. It's possible that the info you're looking for is at the end of the message and if the message is oversize it could be truncated.