NXLog and long messages

1.2k views Asked by At

Forwarding windows events using NXLog to JSON format. The problem is that now and then, the JSON message becomes too large/long for the receiving system.

Is there a way to limit/truncate the JSON outputted from NXLog without breaking the JSON?

I have tried to work only on the $Message part, here trying to truncate it at 20 characters... but that doesn't work (infinite loop).

Exec $Message =~ s/^(.{1,20}).*$/$1/g;

1

There are 1 answers

1
b0ti On BEST ANSWER

This is usually caused by $Message (or $raw_event) being too large like you said. Instead of a regexp I suggest using the substr() function to truncate the data:

Exec $Message = substr($Message, 0, 20);