<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body>
<div>You hit it I think. The first thing is to capture packets on at least one end to isolate where this is happening. </div><div><br></div><div>Jim</div><div><br></div><div><br></div><div><br></div><div id="composer_signature"><div style="font-size:85%;color:#575757">Sent from my Verizon Wireless 4G LTE smartphone</div></div><br><br>-------- Original message --------<br>From: Ray Van Dolson <rvandolson@esri.com> <br>Date: 05/11/2015 11:42 PM (GMT-05:00) <br>To: syslog-ng@lists.balabit.hu <br>Subject: [syslog-ng] 3.2.5 and Multiline(?) messages from Solaris <br><br>Admittedly haven't done enough searching or testing on this, but am<br>hoping someone might have a quick answer.<br><br>Recently moved from the 2.x verions to 3.2.5 (as part of EPEL on<br>RHEL6). Have noticed that we're no longer getting the full messages<br>from some Solaris boxen using the tcp() and udp() source definitions.<br><br>Messages like this:<br><br>May 10 02:29:30 dev-zfs2 scsi: [ID 365881 kern.info] /pci@0,0/pci8086,3410@9/pci15d9,400@0 (mpt_sas0):<br>May 10 02:29:30 dev-zfs2 Log info 0x31080000 received for target 24.<br>May 10 02:29:30 dev-zfs2 scsi_status=0x0, ioc_status=0x804b, scsi_state=0x0<br><br>Come through looking like this:<br><br>May 10 02:29:30 dev-zfs2 scsi: [ID 365881 kern.info] /pci@0,0/pci8086,3410@9/pci15d9,400@0 (mpt_sas0):<br><br>(Only the initial line)<br><br>However, messages like this one:<br><br>May 9 04:12:57 dev-zfs2 scsi: [ID 243001 kern.warning] WARNING: /pci@0,0/pci8086,3410@9/pci15d9,400@0 (mpt_sas0):<br>May 9 04:12:57 dev-zfs2 mptsas_handle_event_sync: IOCStatus=0x8000, IOCLogInfo=0x31110610<br><br>.. do seem to be coming through "whole" (I do note that the priority<br>is different in both).<br><br>Relevant config items are as follows:<br><br>log {<br> source(remote);<br> filter(syslog);<br> destination(hosts_syslog);<br>};<br><br>source remote {<br> udp();<br> tcp();<br> # udp(ip(0.0.0.0) port(514));<br> # tcp(ip(0.0.0.0) port(514));<br>};<br><br>destination hosts_syslog {<br> file("/logs/hosts/$HOST/$YEAR/$MONTH/syslog.$HOST.$YEAR.$MONTH.log"<br> create_dirs(yes));<br> pipe("/logs/hosts/everything.fifo");<br>};<br><br>filter syslog {<br> (not facility(mail)<br> and not filter(f_ucgw)<br> and not filter(f_esx));<br>};<br><br>Will try and do some packet captures to confirm Solaris is, in fact,<br>sending the entire message (I believe it is since this worked on<br>syslog-ng 2.x).<br><br>Thanks,<br>Ray<br>______________________________________________________________________________<br>Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<br>FAQ: http://www.balabit.com/wiki/syslog-ng-faq<br><br></body></html>