<p dir="ltr">The most important thing with multiline is the transport.</p>
<p dir="ltr">Udp can transmit multiline messages just as syslog(transport(tcp)) but of course the client has to support the same protocol.</p>
<p dir="ltr">What do you use on the solaris side?</p>
<p dir="ltr">If you haven't changed the client I don't see why the message would be truncated like that. Once received syslog-ng would only replace newlines with spaces.</p>
<p dir="ltr">So I guess it is a transport issue on the sending side. But tcpdump/wireshark should help a lot here.</p>
<div class="gmail_quote">On May 12, 2015 05:43, "Ray Van Dolson" <<a href="mailto:rvandolson@esri.com">rvandolson@esri.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Admittedly haven't done enough searching or testing on this, but am<br>
hoping someone might have a quick answer.<br>
<br>
Recently moved from the 2.x verions to 3.2.5 (as part of EPEL on<br>
RHEL6). Have noticed that we're no longer getting the full messages<br>
from some Solaris boxen using the tcp() and udp() source definitions.<br>
<br>
Messages like this:<br>
<br>
May 10 02:29:30 dev-zfs2 scsi: [ID 365881 <a href="http://kern.info" target="_blank">kern.info</a>] /pci@0,0/pci8086,3410@9/pci15d9,400@0 (mpt_sas0):<br>
May 10 02:29:30 dev-zfs2 Log info 0x31080000 received for target 24.<br>
May 10 02:29:30 dev-zfs2 scsi_status=0x0, ioc_status=0x804b, scsi_state=0x0<br>
<br>
Come through looking like this:<br>
<br>
May 10 02:29:30 dev-zfs2 scsi: [ID 365881 <a href="http://kern.info" target="_blank">kern.info</a>] /pci@0,0/pci8086,3410@9/pci15d9,400@0 (mpt_sas0):<br>
<br>
(Only the initial line)<br>
<br>
However, messages like this one:<br>
<br>
May 9 04:12:57 dev-zfs2 scsi: [ID 243001 kern.warning] WARNING: /pci@0,0/pci8086,3410@9/pci15d9,400@0 (mpt_sas0):<br>
May 9 04:12:57 dev-zfs2 mptsas_handle_event_sync: IOCStatus=0x8000, IOCLogInfo=0x31110610<br>
<br>
.. do seem to be coming through "whole" (I do note that the priority<br>
is different in both).<br>
<br>
Relevant config items are as follows:<br>
<br>
log {<br>
source(remote);<br>
filter(syslog);<br>
destination(hosts_syslog);<br>
};<br>
<br>
source remote {<br>
udp();<br>
tcp();<br>
# udp(ip(0.0.0.0) port(514));<br>
# tcp(ip(0.0.0.0) port(514));<br>
};<br>
<br>
destination hosts_syslog {<br>
file("/logs/hosts/$HOST/$YEAR/$MONTH/syslog.$HOST.$YEAR.$MONTH.log"<br>
create_dirs(yes));<br>
pipe("/logs/hosts/everything.fifo");<br>
};<br>
<br>
filter syslog {<br>
(not facility(mail)<br>
and not filter(f_ucgw)<br>
and not filter(f_esx));<br>
};<br>
<br>
Will try and do some packet captures to confirm Solaris is, in fact,<br>
sending the entire message (I believe it is since this worked on<br>
syslog-ng 2.x).<br>
<br>
Thanks,<br>
Ray<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>