I'm trying to use the xm_multiline module with nxlog to forward content of a logfile to logstash The log contains different xml elements which are properly indented (opening and closing elements are located at the start of the line) . E.g.
<data
version="x"
xmlns:bla="http://www.example.com/bla">
<val:InfoSet>
...
...
...
</val:InfoSet>
</data>
<message ...>
<ns>bla</ns>
...
...
</message>
It don't need to parse the xml in nxlog, just forward each top element (e.g. data or message) to logstash and will then do the xml parsing in logstash.
Because the elements have different names, I can only use < and </ to find the start and end line. I was hoping a filter like this should be enough to select the correct lines:
HeaderLine /^</
EndLine /^<//
But somehow nxlog gets confused with the / in the regex pattern for the EndLine and shows this in the log:
ERROR HeaderLine and Endline both match
I tried all sorts of quoting but never got the expected result. Any advice?
Update, I did more testing
Worked
HeaderLine /^<m/
EndLine /^</m/
HeaderLine /^<m/
EndLine /^<\/m/
HeaderLine /^<[abcdefghijklm]/
EndLine /^<\/[abcdefghijklm]/
HeaderLine /^<[abcdefghijklmo]/
EndLine /^<\/[abcdefghijklmo]/
HeaderLine /^<[abcdefghijklmopqrstuvwxyz]/ (left out n)
EndLine /^<\/[abcdefghijklmopqrstuvwxyz]/
HeaderLine /^<[abcdefghijklmopqrstuvwxyz]/ (left out n + not escaped
EndLine /^</[abcdefghijklmopqrstuvwxyz]/
Didn't work:
HeaderLine /^</
EndLine /^</m/
HeaderLine /^<[a-z]/
EndLine /^</m/
HeaderLine /^<\w/
EndLine /^</m/
HeaderLine /^<[abcdefghijklmn]/
EndLine /^<\/[abcdefghijklmn]/
HeaderLine /^<[bcdefghijklmn]/
EndLine /^<\/[bcdefghijklmn]/
HeaderLine /^<[abcdefghijklmopqrstuvwxyzn]/ (n at the last position)
EndLine /^<\/[abcdefghijklmopqrstuvwxyzn]/
HeaderLine /^<[abcdefghijklmnopqrstuvwxyz]/
EndLine /^</[abcdefghijklmnopqrstuvwxyz]/