<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#0050d0">
<font size="-1"><font face="Helvetica, Arial, sans-serif">What you
might try is to create a filter that takes all incoming data on the tcp
socket, replaces ^M with \n, and then pipes it back into another source
driver (socket, pipe, whatever) for syslog-ng to process again, but
without the filter expression (^M is probably \r as thats what most
editors will display \r as).<br>
I'm not sure if that'll work, but I think it should.<br>
<br>
-Patrick</font></font><br>
<br>
Sent: Mon Oct 11 2010 15:48:53 GMT-0600 (Mountain Daylight Time)<br>
From: Lee, Steve <a class="moz-txt-link-rfc2396E" href="mailto:steve.lee@emory.edu"><steve.lee@emory.edu></a><br>
To: Syslog-ng users' and developers' mailing list
<a class="moz-txt-link-rfc2396E" href="mailto:syslog-ng@lists.balabit.hu"><syslog-ng@lists.balabit.hu></a> <br>
Subject: Re: [syslog-ng] Multiple syslog messages in one tcp packet
<blockquote
cite="mid:D2B7BF280D612746B96C37DA7542CC26C13ADBECBE@EXCHANGE11.Enterprise.emory.net"
type="cite">
<pre wrap="">I’ve got a Windows syslog client (from Q1 Labs) that wants to send multiple syslog messages within a single tcp packet to syslog-ng. The messages file on the syslog-ng side looks like this (Note the “^M<13>” separating the individual messages):
[user] [notice] Oct 11 16:25:05 10.40.3.16 10.40.3.16 ation_logfile.txt Payload=server.Emory.Edu, The Operations Manager agent processes are using too much processor time SEVERITY:2 STATE: New; Custom Oct 11 15:15:58^M<13>Oct 11 15:17:58 server2.emory.edu AgentDevice=FileForwarder AgentLogFile=logfile.txt Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: New; StateCollection Oct 11 15:17:58^M<13>Oct 11 15:19:58 server2.emory.edu AgentDevice=FileForwarder AgentLogFile= logfile.txt Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: Closed; StateCollection Oct 11 15:19:58^M
Is it possible to configure syslog-ng to separate the messages out into individual ones like these?
[user] [notice] Oct 11 16:25:05 10.40.3.16 10.40.3.16 ation_logfile.txt Payload=server.Emory.Edu, The Operations Manager agent processes are using too much processor time SEVERITY:2 STATE: New; Custom Oct 11 15:15:58
[user] [notice] Oct 11 15:17:58 server2.emory.edu AgentDevice=FileForwarder AgentLogFile=logfile.txt Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: New; StateCollection Oct 11 15:17:58
[user] [notice] Oct 11 15:19:58 server2.emory.edu AgentDevice=FileForwarder AgentLogFile= logfile.txt Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: Closed; StateCollection Oct 11 15:19:58
I am using the syslog-ng ose client version 3.0.3.
Thanks.
Steve
-------------
Steve Lee
Technical Operations Center
University Technology Services
Emory University
-------------
This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.
If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
</body>
</html>