<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#0050d0">
<font size="-1"><font face="Helvetica, Arial, sans-serif">rewrite
r_fixmsg { subst("\r","\n",value("MESSAGE") type("string")
flags("global")); };<br>
<br>
I dont know if syslog-ng will translate the \r or not. If not try
inserting a raw \r char in there (this is all assuming ^M really is \r).<br>
<br>
-Patrick<br>
</font></font><br>
Sent: Mon Oct 11 2010 16:32:22 GMT-0600 (Mountain Daylight Time)<br>
From: Matthew Hall <a class="moz-txt-link-rfc2396E" href="mailto:mhall@mhcomputing.net"><mhall@mhcomputing.net></a><br>
To: Syslog-ng users' and developers' mailing list
<a class="moz-txt-link-rfc2396E" href="mailto:syslog-ng@lists.balabit.hu"><syslog-ng@lists.balabit.hu></a> <br>
Subject: Re: [syslog-ng] Multiple syslog messages in one tcp packet
<blockquote cite="mid:20101011223222.GA10923@mhcomputing.net"
type="cite">
<pre wrap="">How do you create a filter for ^M and other control characters?
Matthew.
On Mon, Oct 11, 2010 at 04:27:59PM -0600, Patrick H. wrote:
</pre>
<blockquote type="cite">
<pre wrap="">What you might try is to create a filter that takes all incoming
data on the tcp socket, replaces ^M with \n, and then pipes it back
into another source driver (socket, pipe, whatever) for syslog-ng to
process again, but without the filter expression (^M is probably \r
as thats what most editors will display \r as).
I'm not sure if that'll work, but I think it should.
-Patrick
Sent: Mon Oct 11 2010 15:48:53 GMT-0600 (Mountain Daylight Time)
From: Lee, Steve <a class="moz-txt-link-rfc2396E" href="mailto:steve.lee@emory.edu"><steve.lee@emory.edu></a>
To: Syslog-ng users' and developers' mailing list
<a class="moz-txt-link-rfc2396E" href="mailto:syslog-ng@lists.balabit.hu"><syslog-ng@lists.balabit.hu></a>
Subject: Re: [syslog-ng] Multiple syslog messages in one tcp packet
</pre>
<blockquote type="cite">
<pre wrap="">I’ve got a Windows syslog client (from Q1 Labs) that wants to send multiple syslog messages within a single tcp packet to syslog-ng. The messages file on the syslog-ng side looks like this (Note the “^M<13>” separating the individual messages):
[user] [notice] Oct 11 16:25:05 10.40.3.16 10.40.3.16 ation_logfile.txt Payload=server.Emory.Edu, The Operations Manager agent processes are using too much processor time SEVERITY:2 STATE: New; Custom Oct 11 15:15:58^M<13>Oct 11 15:17:58 server2.emory.edu AgentDevice=FileForwarder AgentLogFile=logfile.txt Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: New; StateCollection Oct 11 15:17:58^M<13>Oct 11 15:19:58 server2.emory.edu AgentDevice=FileForwarder AgentLogFile= logfile.txt Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: Closed; StateCollection Oct 11 15:19:58^M
Is it possible to configure syslog-ng to separate the messages out into individual ones like these?
[user] [notice] Oct 11 16:25:05 10.40.3.16 10.40.3.16 ation_logfile.txt Payload=server.Emory.Edu, The Operations Manager agent processes are using too much processor time SEVERITY:2 STATE: New; Custom Oct 11 15:15:58
[user] [notice] Oct 11 15:17:58 server2.emory.edu AgentDevice=FileForwarder AgentLogFile=logfile.txt Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: New; StateCollection Oct 11 15:17:58
[user] [notice] Oct 11 15:19:58 server2.emory.edu AgentDevice=FileForwarder AgentLogFile= logfile.txt Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: Closed; StateCollection Oct 11 15:19:58
I am using the syslog-ng ose client version 3.0.3.
Thanks.
Steve
-------------
Steve Lee
Technical Operations Center
University Technology Services
Emory University
-------------
This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.
If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
</blockquote>
<pre wrap=""><!---->
</pre>
<blockquote type="cite">
<pre wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
<pre wrap=""><!---->
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
</body>
</html>