i am trying to read the weblogic DefaultAuditRecorder.log which looks like this (and doesn't seem to be covered in the weblogic app in splunkbase)
#### Audit Record Begin <<<>, category=AdminChannel>>> Audit Record End ####
Some small percentage of events are not breaking at "#### Audit Record Begin", but instead randomly cut in the middle:
ipal = class weblogic.security.principal.WLSGroupImpl("groupname")
><>, category=AdminChannel>>> Audit Record End ####
an 9, 2018 2:28:02 PM><<<>, category=AdminChannel>>> Audit Record End ####
my props.conf :
[weblogic:audit]
KV_MODE = auto
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
TIME_PREFIX = ####\sAudit\sRecord\sBegin\s<
TIME_FORMAT = %b %d, %Y %I:%M:%S %p
MAX_TIMESTAMP_LOOKAHEAD = 24
I've tried using these but no luck here either:
#MUST_BREAK_AFTER = Audit\sRecord\sEnd\s####
#BREAK_ONLY_BEFORE = ####\sAudit\sRecord\sBegin
I've reviewed the props.conf man page several times but I can't seem to identify where I've gone wrong.
↧