<div dir="ltr"><div><div>Hi,<br><br></div>I have just added regexp based multiline support to the 3.5 version. Just grab the latest master, recompile, and you'll have these options:<br></div>multi-line-mode(regexp) multi-line-prefix(...) multi-line-garbage(...)<br>
<br><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jul 22, 2013 at 11:23 PM, Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi77@gmail.com" target="_blank">bazsi77@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">Sorry, I was on holiday, wo access to emails. It would be nice to see what exactly log4j sends to syslog-ng. </p>
<p dir="ltr">Can you make a packet dump using tcpdump/wireshark?</p><div class="HOEnZb"><div class="h5">
<div class="gmail_quote">On Jul 12, 2013 8:16 PM, "Satish Patel" <<a href="mailto:satish.txt@gmail.com" target="_blank">satish.txt@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Tomcat7 log4j sending logs to syslog-ng. I have installed 3.5. look like log4j doesn't know about white space, do you have any experience with that? but in syslog-ng documents they have mention you can use multi-line-prefix to solve this issue but it seem that option doesn't available in 3.5 version<br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jul 11, 2013 at 5:03 PM, Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi77@gmail.com" target="_blank">bazsi77@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">It's abailable in the git repo, Algernon (cc) may have published binaries.</p>
<p dir="ltr">For syslog(transport(udp)) you don't need this flag, as UDP supports multiline just fine. The original sender decides whether it sends the message with newlines or not. What client sends you messages?</p>
<div><div>
<div class="gmail_quote">On Jul 11, 2013 6:54 PM, "Satish Patel" <<a href="mailto:satish.txt@gmail.com" target="_blank">satish.txt@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">ah!!! where do i download 3.5 OpenSource? could you please point me out.. also in my case i am using UDP port for source so my syntex would be like following? right?<br><br>source s_tomcat {<br> syslog( transport("udp") multi-line-mode(indented));<br>
};<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jul 11, 2013 at 12:40 PM, Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi77@gmail.com" target="_blank">bazsi77@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">My gosh, I incorrectly remembered a number of vital details, sorry for that.</p>
<p dir="ltr">The syntax has been changed from the flags format, it's like this:</p>
<p dir="ltr">file('tomcat.log' multi-line-mode(indented));<br></p>
<p dir="ltr">I have actually tried this one, however I have one other bad news, this feature missed 3.4 so it's only available in the 3.5 branch. IIRC Algernon already published 3.5 binaries for Debian/Ubuntu distros.</p>
<div><div>
<div class="gmail_quote">On Jul 11, 2013 4:22 PM, "Satish Patel" <<a href="mailto:satish.txt@gmail.com" target="_blank">satish.txt@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div>This is my source declaration and i have put flags which you have mentioned. <br><br>source s_tomcat {<br> syslog( transport("udp") flags(indent-multi-line));<br>};<br><br></div>I got following error when i am trying to put flags<br>
<br>Error parsing afsocket, Unknown flag indent-multi-line in /usr/local/syslog-ng-3.4.2/etc/syslog-ng.conf at line 54, column 33:<br><br> syslog( transport("udp") flags(indent-multi-line) );<br> ^^^^^^^^^^^^^^^^^<br>
<br><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jul 11, 2013 at 7:53 AM, Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi@balabit.hu" target="_blank">bazsi@balabit.hu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
I can't see the source declaration, it must be something along the lines<br>
of:<br>
<br>
source s_tomcat {<br>
file("/var/log/tomcat/xxx.log" flags(indent-multi-line));<br>
};<br>
<div><div><br>
On Wed, 2013-07-10 at 12:54 -0400, Satish Patel wrote:<br>
> Hi Balazs,<br>
><br>
><br>
> what is your thought about my config? did you see?<br>
><br>
><br>
><br>
> On Mon, Jul 8, 2013 at 12:30 PM, Satish Patel <<a href="mailto:satish.txt@gmail.com" target="_blank">satish.txt@gmail.com</a>><br>
> wrote:<br>
> This is what i have configured and no luck with it.. can you<br>
> suggest what i am missing?<br>
><br>
> destination d02_tc74_log<br>
> { file("/logs/server1/tomcat7.4/catalina_$YEAR$MONTH$DAY.log"<br>
> template("$(indent-multi-line ${MESSAGE})\n")<br>
> template(t_tomcatlog) owner("root") group("root") perm(0644)<br>
> dir_perm(0755) create_dirs(yes)); };<br>
> filter server1 { host("<a href="http://server1.example.com" target="_blank">server1.example.com</a>") };<br>
> log {<br>
> source (s_tomcat);<br>
> filter (server1);<br>
> filter (tomcat7_4);<br>
> destination (d02_tc74_log);<br>
> };<br>
><br>
><br>
><br>
><br>
> On Mon, Jul 8, 2013 at 12:08 PM, Satish Patel<br>
> <<a href="mailto:satish.txt@gmail.com" target="_blank">satish.txt@gmail.com</a>> wrote:<br>
> How do i use indented-multi-line ? I meant where do i<br>
> configure it? I tried but my syslog-ng doesn't<br>
> recognizing this option i have syslog-ng 3.3.7 could<br>
> you give me example where and how do i check whether<br>
> it is supported or not<br>
><br>
><br>
><br>
> On Sat, Jul 6, 2013 at 2:12 AM, Balazs Scheidler<br>
> <<a href="mailto:bazsi77@gmail.com" target="_blank">bazsi77@gmail.com</a>> wrote:<br>
> This looks.like the format that should be<br>
> supported by indented-multi-line<br>
><br>
> On Jul 5, 2013 9:33 PM, "Satish Patel"<br>
> <<a href="mailto:satish.txt@gmail.com" target="_blank">satish.txt@gmail.com</a>> wrote:<br>
> Here is my tomcat catalina.out log<br>
> file sample. See there is a tab space<br>
> in logs<br>
><br>
> 2013-06-27 05:30:00,065<br>
> [EDISN-Scheduler_Worker-2] ERROR<br>
> com.example.edisn.sftp.SftpSession -<br>
> Exception attempting to work with an<br>
> SFTP Session: connection is closed by<br>
> foreign host<br>
> 2013-06-27 05:30:00,066<br>
> [EDISN-Scheduler_Worker-2] ERROR<br>
> org.quartz.core.JobRunShell - Job<br>
> EDISN.CTMS_Upload threw an unhandled<br>
> Exception:<br>
> com.example.edisn.EdisnRuntimeException: Exception attempting to work with an SFTP Session: connection is closed by foreign host<br>
> at<br>
> com.example.edisn.sftp.SftpSession.doSession(SftpSession.java:64)<br>
> at<br>
> com.example.edisn.EdisnSession.exec(EdisnSession.java:13)<br>
> at<br>
> com.example.ctms.CtmsScheduledJob.executeInternal(CtmsScheduledJob.java:27)<br>
> at<br>
> org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86)<br>
> at<br>
> org.quartz.core.JobRunShell.run(JobRunShell.java:202)<br>
> at<br>
> org.quartz.simpl.SimpleThreadPool<br>
> $WorkerThread.run(SimpleThreadPool.java:525)<br>
> Caused by:<br>
> com.jcraft.jsch.JSchException:<br>
> connection is closed by foreign host<br>
> at<br>
> com.jcraft.jsch.Session.connect(Unknown Source)<br>
> at<br>
> com.jcraft.jsch.Session.connect(Unknown Source)<br>
> at<br>
> com.example.edisn.sftp.SftpSession.doSession(SftpSession.java:45)<br>
> ... 5 more<br>
><br>
><br>
><br>
><br>
> On Fri, Jul 5, 2013 at 3:27 PM, Balazs<br>
> Scheidler <<a href="mailto:bazsi77@gmail.com" target="_blank">bazsi77@gmail.com</a>> wrote:<br>
> No, I implemented a different<br>
> multiline style support first<br>
> (that is not in pe), where<br>
> continuation lines are<br>
> indicated by indentation, like<br>
> mime.<br>
><br>
> Iirc tomcat has this kind of<br>
> log file. Can you show a<br>
> sample log entry?<br>
><br>
> The infrastructure for<br>
> multiline-prefix is also there<br>
> but not added yet.<br>
><br>
> Let me see the sample, I'll<br>
> tell if the current solution<br>
> works or not.<br>
><br>
> On Jul 5, 2013 8:24 PM,<br>
> "Satish Patel"<br>
> <<a href="mailto:satish.txt@gmail.com" target="_blank">satish.txt@gmail.com</a>> wrote:<br>
> Thanks for reply<br>
> Balazs,<br>
><br>
><br>
> You mean say this<br>
> feature is available<br>
> in Open Source Edition<br>
> (OSE) 3.4? Once after<br>
> specifying flag<br>
> "indented-multi-line"<br>
> i can use<br>
> multi-line-prefix?<br>
><br>
><br>
><br>
> On Fri, Jul 5, 2013 at<br>
> 1:26 PM, Balazs<br>
> Scheidler<br>
> <<a href="mailto:bazsi77@gmail.com" target="_blank">bazsi77@gmail.com</a>><br>
> wrote:<br>
> You have found<br>
> the PE<br>
> documentation<br>
> but I have<br>
> already ported<br>
> this to the<br>
> OSE tree and<br>
> has been<br>
> released as<br>
> part of 3.4.<br>
><br>
> You have to<br>
> specify<br>
> indented-multi-line as a flag to the file source.<br>
><br>
> On Jul 5, 2013<br>
> 6:28 PM,<br>
> "Satish Patel"<br>
> <<a href="mailto:satish.txt@gmail.com" target="_blank">satish.txt@gmail.com</a>> wrote:<br>
><br>
> We<br>
> have<br>
> tomcat<br>
> shop<br>
> and at<br>
> everyone know tomcat has a java call trace in logs with tab space but syslog-ng doesn't know about it and printing lines as a new line. I have read here syslog-ng 3.x does support multi-line logs <a href="http://www.balabit.com/sites/default/files/documents/syslog-ng-pe-4.0-guides/en/syslog-ng-pe-v4.0-guide-admin-en/html/reference_source_syslog.html" target="_blank">http://www.balabit.com/sites/default/files/documents/syslog-ng-pe-4.0-guides/en/syslog-ng-pe-v4.0-guide-admin-en/html/reference_source_syslog.html</a><br>
><br>
><br>
> But<br>
> does<br>
> this<br>
> feature available in Open Source syslog-ng? If yes then why its not working for me?<br>
><br>
><br>
><br>
> ______________________________________________________________________________<br>
> Member<br>
> info:<br>
> <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ:<br>
> <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
><br>
><br>
> ______________________________________________________________________________<br>
> Member info:<br>
> <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation:<br>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ:<br>
> <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
><br>
><br>
><br>
><br>
> ______________________________________________________________________________<br>
> Member info:<br>
> <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation:<br>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ:<br>
> <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
><br>
><br>
> ______________________________________________________________________________<br>
> Member info:<br>
> <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation:<br>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ:<br>
> <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
><br>
><br>
><br>
><br>
> ______________________________________________________________________________<br>
> Member info:<br>
> <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation:<br>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ:<br>
> <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
><br>
><br>
> ______________________________________________________________________________<br>
> Member info:<br>
> <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation:<br>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
<br>
<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</div></div></blockquote></div><br></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div>
</div></div><br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div>
</div></div><br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Bazsi
</div>