I am using syslog-ng <b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">version </span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><br>
</span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:blue">[root@Cypher-210 ~]#
/usr/local/sbin/syslog-ng -V<br>
syslog-ng 3.3.3<br>
Installer-Version: 3.3.3</span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><br>
Revision:
ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.3#master#d199a1980be6b23fe24189e86a882812288e292c<br>
Compile-Date: Mar 6 2012 13:06:17<br>
Default-Modules:
affile,afprog,afsocket,afuser,basicfuncs,csvparser,parser,syslogformat<br>
Available-Modules:
afprog,convertfuncs,affile,afsocket-tls,confgen,csvparser,syslogformat,dbparser,basicfuncs,afmongodb,dummy,afuser,afsocket<br>
Enable-Debug: off<br>
Enable-GProf: off<br>
Enable-Memtrace: off<br>
Enable-IPv6: on<br>
Enable-Spoof-Source: off<br>
Enable-TCP-Wrapper: on<br>
Enable-Linux-Caps: on<br>
Enable-Pcre: on<br style>
<br style>
</span><br>Problem:<br>------------<br>Syslog-ng is forwarding the TCP packets to a Remote TCP port with More than one message in a single TCP Packet.But, in between the messages inside a packet, It doesn't includes any delimiter like "\n" or some other.But, the receiving Program listens on TCP requires a newline as a delimiter b/w messages so as to parse the messages individually. But, As Syslog-ng doesn't includes a separator b/w messages in a packet, The Receiver simply considering whole messages in a packet as a single Message which leads to false and unacceptable parsing.<br>
<br>Please look into the following messages exists in a single TCP packet.The one I colored red is a start of new message.<br><br>root : tty=unknown ; pwd=/ ; user=root ; command=/bin/grep ^shutdown: /etc/shadow <b><span style="color:rgb(255,0,0)"><13></span></b>mar 6 17:22:15 cypher-210 sudo: root : tty=unknown ; pwd=/ ; user=root ; command=/usr/bin/head -n 4 /etc/inittab <b><span style="color:rgb(255,0,0)"><13></span></b>mar 6 17:22:15 cypher-210 sudo: root : tty=unknown ; pwd=/ ; user=root ; command=/usr/bin/tail -n 1 <b style="color:rgb(255,0,0)"><13></b>mar 6 17:22:15 cypher-210 sshd[5583]: pam_unix(sshd:session): session opened for user root by (uid=0) <b><span style="color:rgb(255,0,0)"><13></span></b>mar 6 17:22:15 cypher-210 sshd[5765]: accepted password for root from 10.0.15.218 port 44258 ssh2 <13>mar 6 17:22:15 cypher-210 sshd[5765]: pam_unix(sshd:session): session opened for user root by (uid=0) <b style="color:rgb(255,0,0)"><13></b>mar 6 17:22:16 cypher-210 sshd[5278]: pam_unix(sshd:session): session closed for user root <b style="color:rgb(255,0,0)"><13></b>mar 6 17:22:17 cypher-210 pam_timestamp_check: pam `/' permissions are lax <13>mar 6 17:22:17 cypher-210 sshd[5281]: pam_unix(sshd:session): session closed for user root <b style="color:rgb(255,0,0)"><13></b>mar 6 17:22:17 cypher-210 sudo: root : tty=unknown ; pwd=/ ; user=root ; command=/bin/grep ^shutdown: /etc/shad<br>
<br>These are the settings i made in the syslog-ng.conf file:<br><br>source s_test {<br> internal();<br> unix-stream("/dev/log");<br> udp();<br> file("/var/log/syslog-ng_local");<br>};<br><br>destination d_test {<br>
tcp("10.0.15.18" port(9500)); #My Program listening on tcp port 9500 requires newline as a separator for each message.<br>};<br>log {<br> source(s_test); destination(d_test);<br>};<br><br>Can anyone kindly help me, <br>
1. How can i limit one tcp packet to hold only one message?<br> [or]<br>2. How can I add newline as a delimiter b/w each message before the packet(s) are forwarding to a destination so that it could parse properly?<br>
<br>Your Help is really appreciate..<br><br>Thanks&Regards<br>Anjaneyulu P<br>