<p dir="ltr">Hmm what was the sniffer that printed these lines? I would prefer to see what was in the wire exactly as these seem to have been processed somewhat.</p>
<div class="gmail_quote">On May 12, 2015 5:02 PM, "Ray Van Dolson" <<a href="mailto:rvandolson@esri.com">rvandolson@esri.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Tue, May 12, 2015 at 08:49:20AM +0200, Scheidler, Balázs wrote:<br>
> The most important thing with multiline is the transport.<br>
><br>
> Udp can transmit multiline messages just as syslog(transport(tcp))<br>
> but of course the client has to support the same protocol.<br>
><br>
> What do you use on the solaris side?<br>
<br>
Using the default syslog daemon in Solaris 10 (uses UDP).<br>
<br>
><br>
> If you haven't changed the client I don't see why the message would<br>
> be truncated like that. Once received syslog-ng would only replace<br>
> newlines with spaces.<br>
><br>
> So I guess it is a transport issue on the sending side. But<br>
> tcpdump/wireshark should help a lot here.<br>
<br>
Packet capture results leave me scratching my head a bit:<br>
<br>
714 2015-05-12 03:41:06.<a href="tel:172567%20%2010" value="+3617256710">172567 10</a>.49.6.166 10.49.7.16 Syslog 150 KERN.WARNING: May 12 03:41:06 scsi: [ID 243001 kern.warning] WARNING: /pci@0,0/pci8086,3410@9/pci15d9,400@0 (mpt_sas0):<br>
715 2015-05-12 03:41:06.<a href="tel:172575%20%2010" value="+3617257510">172575 10</a>.49.6.166 10.49.7.16 Syslog 127 KERN.WARNING: May 12 03:41:06 \tmptsas_handle_event_sync: IOCStatus=0x8000, IOCLogInfo=0x31110610<br>
<br>
718 2015-05-12 03:41:10.172475 10.49.6.166 10.49.7.16 Syslog 138 <a href="http://KERN.INFO" target="_blank">KERN.INFO</a>: May 12 03:41:10 scsi: [ID 365881 <a href="http://kern.info" target="_blank">kern.info</a>] /pci@0,0/pci8086,3410@9/pci15d9,400@0 (mpt_sas0):<br>
719 2015-05-12 03:41:10.<a href="tel:172483%20%2010" value="+3617248310">172483 10</a>.49.6.166 10.49.7.16 Syslog 105 <a href="http://KERN.INFO" target="_blank">KERN.INFO</a>: May 12 03:41:10 \tLog info 0x31110610 received for target 24.<br>
<br>
721 2015-05-12 03:41:10.<a href="tel:172487%20%2010" value="+3617248710">172487 10</a>.49.6.166 10.49.7.16 Syslog 142 KERN.WARNING: May 12 03:41:10 scsi: [ID 107833 kern.warning] WARNING: /scsi_vhci/disk@g5000c50019bc81e1 (sd31):<br>
722 2015-05-12 03:41:10.<a href="tel:172491%20%2010" value="+3617249110">172491 10</a>.49.6.166 10.49.7.16 Syslog 110 KERN.WARNING: May 12 03:41:10 \tSCSI transport failed: reason 'reset': giving up<br>
<br>
(Sorry for the word-wrap).<br>
<br>
So, you can see the second line comes through as a completely separate<br>
message with a tab character '\t' at the beginning.<br>
<br>
The odd thing? Packets 714 & 715 come through fine and syslog-ng<br>
appends them both to my output log.<br>
<br>
However, for pairs 718 & 719 and 721 & 722, only the first line comes<br>
through. In both cases the tab character is 0x09 so not seeing a<br>
difference there.<br>
<br>
Makes me think it's something in the syslog-ng config rather than the<br>
message. Probably will move to something super simple to see that<br>
fixes it (keeping in mind this behavior didn't occur w/ syslog-ng 2.x).<br>
<br>
Ray<br>
<br>
><br>
> On May 12, 2015 05:43, "Ray Van Dolson" <<a href="mailto:rvandolson@esri.com">rvandolson@esri.com</a>> wrote:<br>
><br>
> Admittedly haven't done enough searching or testing on this, but am<br>
> hoping someone might have a quick answer.<br>
><br>
> Recently moved from the 2.x verions to 3.2.5 (as part of EPEL on<br>
> RHEL6). Have noticed that we're no longer getting the full messages<br>
> from some Solaris boxen using the tcp() and udp() source definitions.<br>
><br>
> Messages like this:<br>
><br>
> May 10 02:29:30 dev-zfs2 scsi: [ID 365881 <a href="http://kern.info" target="_blank">kern.info</a>] /pci@0,0/<br>
> pci8086,3410@9/pci15d9,400@0 (mpt_sas0):<br>
> May 10 02:29:30 dev-zfs2 Log info 0x31080000 received for target 24.<br>
> May 10 02:29:30 dev-zfs2 scsi_status=0x0, ioc_status=0x804b,<br>
> scsi_state=0x0<br>
><br>
> Come through looking like this:<br>
><br>
> May 10 02:29:30 dev-zfs2 scsi: [ID 365881 <a href="http://kern.info" target="_blank">kern.info</a>] /pci@0,0/<br>
> pci8086,3410@9/pci15d9,400@0 (mpt_sas0):<br>
><br>
> (Only the initial line)<br>
><br>
> However, messages like this one:<br>
><br>
> May 9 04:12:57 dev-zfs2 scsi: [ID 243001 kern.warning] WARNING: /pci@0,0/<br>
> pci8086,3410@9/pci15d9,400@0 (mpt_sas0):<br>
> May 9 04:12:57 dev-zfs2 mptsas_handle_event_sync: IOCStatus=0x8000,<br>
> IOCLogInfo=0x31110610<br>
><br>
> .. do seem to be coming through "whole" (I do note that the priority<br>
> is different in both).<br>
><br>
> Relevant config items are as follows:<br>
><br>
> log {<br>
> source(remote);<br>
> filter(syslog);<br>
> destination(hosts_syslog);<br>
> };<br>
><br>
> source remote {<br>
> udp();<br>
> tcp();<br>
> # udp(ip(0.0.0.0) port(514));<br>
> # tcp(ip(0.0.0.0) port(514));<br>
> };<br>
><br>
> destination hosts_syslog {<br>
> file("/logs/hosts/$HOST/$YEAR/$MONTH/syslog.$HOST.$YEAR.$MONTH.log"<br>
> create_dirs(yes));<br>
> pipe("/logs/hosts/everything.fifo");<br>
> };<br>
><br>
> filter syslog {<br>
> (not facility(mail)<br>
> and not filter(f_ucgw)<br>
> and not filter(f_esx));<br>
> };<br>
><br>
> Will try and do some packet captures to confirm Solaris is, in fact,<br>
> sending the entire message (I believe it is since this worked on<br>
> syslog-ng 2.x).<br>
><br>
> Thanks,<br>
> Ray<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>