I need help, I am receiving a log of 1300 lines, I am receiving a parse error, for this I did tests and these logs were significantly reduced and with that the error disappears since what I am removing does not affect the structure of the log. For which I only have one theory left... and that is that the size of my log is exceeding the limit. Use the max_bytes: 10485760 like this:
I had already observed that information but I couldn't draw a conclusion since I see that they use the type syslog, tcp input, udp input. Confirm me if I'm right, for the filestream type I can only apply the max_line inside the multiline parsers:.
I understand that for the filestream it is done like this:
I got this result, but I don't see the change, the error still persists. My error is the parsers of the xml, but this is due to the fact that it does not reach the closing of the event and the message, firstly because it exceeds 500 lines.