<span style>Hi Balint,</span><br style><br style><span style> Thanks for your kind reply and sorry for the delay.As i was on leave till today, My reply is delayed.However, I didn't use any template.The Packet data which i had pasted in my previous message is what i received from the application running at the destination end "10.0.15.18" with port 9500;Might be this application is displaying as small letter 'm'. But,</span><span class="il" style>Syslog</span><span style>-</span><span class="il" style>ng</span><span style> is forwarding with 'M' only to the Destination with multiple messages in a single TCP packet.This is been confirmed through WireShark.Please look into the attached image file captured from Packet Analyzer tool wireshark.</span><div>
<br></div><div>I have attached a file which was captured through wireshark to show you the multiple events forwarded by syslog-ng to the Destination.But, unfortunately it was rejected as it's not under the size limits of Syslog-ng pipermail.<br style>
<br style><span style>Kindly assist me on How can i configure </span><span class="il" style>syslog</span><span style>-</span><span class="il" style>ng</span><span style> in order to send only one message per single tcp packet or else having a new line character '\n' at the end of each message.</span><div>
<br style><span style>Please let me know if you need any further information.</span><br style><br style><span style>Thanks & Regards</span> <div>Anjaneyulu P<br><br><div class="gmail_quote">On Wed, Mar 7, 2012 at 2:04 PM, Balint Kovacs <span dir="ltr"><<a href="mailto:balint.kovacs@balabit.com">balint.kovacs@balabit.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi Anji,<br>
<br>
at first glance it seems as if you are using a template in your
destination (because of the small m in mar) and are missing the "\n"
from the end of the template. Are you sure that you have pasted the
right config snippet?<br>
<br>
Balint<div><div class="h5"><br>
<br>
On 03/07/2012 05:38 AM, anji prassana wrote:
</div></div><blockquote type="cite"><div><div class="h5">I am using syslog-ng <b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">version
</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><br>
</span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:blue">[root@Cypher-210
~]#
/usr/local/sbin/syslog-ng -V<br>
syslog-ng 3.3.3<br>
Installer-Version: 3.3.3</span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><br>
Revision:
<a href="mailto:ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.3#master%23d199a1980be6b23fe24189e86a882812288e292c" target="_blank">ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.3#master#d199a1980be6b23fe24189e86a882812288e292c</a><br>
Compile-Date: Mar 6 2012 13:06:17<br>
Default-Modules:
affile,afprog,afsocket,afuser,basicfuncs,csvparser,parser,syslogformat<br>
Available-Modules:
afprog,convertfuncs,affile,afsocket-tls,confgen,csvparser,syslogformat,dbparser,basicfuncs,afmongodb,dummy,afuser,afsocket<br>
Enable-Debug: off<br>
Enable-GProf: off<br>
Enable-Memtrace: off<br>
Enable-IPv6: on<br>
Enable-Spoof-Source: off<br>
Enable-TCP-Wrapper: on<br>
Enable-Linux-Caps: on<br>
Enable-Pcre: on<br>
<br>
</span><br>
Problem:<br>
------------<br>
Syslog-ng is forwarding the TCP packets to a Remote TCP port with
More than one message in a single TCP Packet.But, in between the
messages inside a packet, It doesn't includes any delimiter like
"\n" or some other.But, the receiving Program listens on TCP
requires a newline as a delimiter b/w messages so as to parse the
messages individually. But, As Syslog-ng doesn't includes a
separator b/w messages in a packet, The Receiver simply
considering whole messages in a packet as a single Message which
leads to false and unacceptable parsing.<br>
<br>
Please look into the following messages exists in a single TCP
packet.The one I colored red is a start of new message.<br>
<br>
root : tty=unknown ; pwd=/ ; user=root ; command=/bin/grep
^shutdown: /etc/shadow <b><span style="color:rgb(255,0,0)"><13></span></b>mar
6 17:22:15 cypher-210 sudo: root : tty=unknown ; pwd=/ ;
user=root ; command=/usr/bin/head -n 4 /etc/inittab <b><span style="color:rgb(255,0,0)"><13></span></b>mar 6
17:22:15 cypher-210 sudo: root : tty=unknown ; pwd=/ ;
user=root ; command=/usr/bin/tail -n 1 <b style="color:rgb(255,0,0)"><13></b>mar 6 17:22:15
cypher-210 sshd[5583]: pam_unix(sshd:session): session opened for
user root by (uid=0) <b><span style="color:rgb(255,0,0)"><13></span></b>mar
6 17:22:15 cypher-210 sshd[5765]: accepted password for root from
10.0.15.218 port 44258 ssh2 <13>mar 6 17:22:15 cypher-210
sshd[5765]: pam_unix(sshd:session): session opened for user root
by (uid=0) <b style="color:rgb(255,0,0)"><13></b>mar 6
17:22:16 cypher-210 sshd[5278]: pam_unix(sshd:session): session
closed for user root <b style="color:rgb(255,0,0)"><13></b>mar
6 17:22:17 cypher-210 pam_timestamp_check: pam `/' permissions are
lax <13>mar 6 17:22:17 cypher-210 sshd[5281]:
pam_unix(sshd:session): session closed for user root <b style="color:rgb(255,0,0)"><13></b>mar 6 17:22:17
cypher-210 sudo: root : tty=unknown ; pwd=/ ; user=root ;
command=/bin/grep ^shutdown: /etc/shad<br>
<br>
These are the settings i made in the syslog-ng.conf file:<br>
<br>
source s_test {<br>
internal();<br>
unix-stream("/dev/log");<br>
udp();<br>
file("/var/log/syslog-ng_local");<br>
};<br>
<br>
destination d_test {<br>
tcp("10.0.15.18" port(9500)); #My Program listening on tcp port
9500 requires newline as a separator for each message.<br>
};<br>
log {<br>
source(s_test); destination(d_test);<br>
};<br>
<br>
Can anyone kindly help me, <br>
1. How can i limit one tcp packet to hold only one message?<br>
[or]<br>
2. How can I add newline as a delimiter b/w each message before
the packet(s) are forwarding to a destination so that it could
parse properly?<br>
<br>
Your Help is really appreciate..<br>
<br>
Thanks&Regards<br>
Anjaneyulu P<br>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
</div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div></div></div>