<p dir="ltr">Hi,<br>
This seems to be a pe customer. Helping him publicly is a great way to push publicity. Basically he is already a reference with a great company name.</p>
<p dir="ltr">Any takers on his problem?</p>
<p dir="ltr">Cheers<br>
Bazsi</p>
<div class="gmail_quote">---------- Forwarded message ----------<br>From: "Newport, Brendan (Contractor - Security Operations - Development & Support)" <<a href="mailto:Brendan.Newport@lloydsbanking.com">Brendan.Newport@lloydsbanking.com</a>><br>Date: Sep 29, 2016 15:04<br>Subject: [syslog-ng] Converting multiline text input to concatanated single-line syslog format<br>To: "<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>" <<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>><br>Cc: <br><br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-GB" link="blue" vlink="purple"><div><p class="MsoNormal"><strong><span style="font-family:"Calibri","sans-serif"">Classification: <span style="color:#33cc00">Public</span></span></strong><br><br><u></u><u></u></p><p class="MsoNormal">Hi!<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">My first posting on the mailing list.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I’ve run into a snag trying to get multiline logs concatenated onto one line and written as syslog-format messages.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Actually the second part is working fine; I can get the first line identified and incorporated into a syslog message, but all subsequent lines aren’t included.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Just for testing I’ve some simple input;<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">‘IMP-386: ORACLE error 386 encountered<u></u><u></u></p><p class="MsoNormal">ORA-01017: invalid username/password; logon deniedUsername:<u></u><u></u></p><p class="MsoNormal">Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production<u></u><u></u></p><p class="MsoNormal">With the Partitioning, OLAP and Data Mining options<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Export file created by EXPORT:V10.02.01 via conventional path<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Warning: the objects were exported by FALCON, not by you<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">import done in WE8ISO8859P1 character set and AL16UTF16 NCHAR character set<u></u><u></u></p><p class="MsoNormal">IMP-00034: Warning: FromUser "FALBOS" not found in export file’<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">What I’m aiming to do is log only the Oracle errors, commencing at the string ‘IMP’ and ending only when the next line is found with ‘IMP’ (this log only sees errors)<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">So in syslog-ng.conf (version 5.0.6b PE) <u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">source s_table { file("/path to Table.log" multi-line-prefix("IMP") multi-line-garbage("set$") flags(no-p<u></u><u></u></p><p class="MsoNormal">arse) flags(no-multi-line) program_override("Table") default-facility(local5) default-priority(info)); };<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Just to try to get things working, I’ve hard-coded the final string present in my sample input - ‘set’<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">The output is scheduled to go off-server, but for the moment I want to see the transformed messages in their own file;<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">destination d_table { file("/auditsox/table.log"); };<u></u><u></u></p><p class="MsoNormal">log { source(s_table); destination(d_table); };<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">What I get from the above (in d_table) is;<u></u><u></u></p><div style="border:none;border-bottom:solid windowtext 1.5pt;padding:0cm 0cm 1.0pt 0cm"><p class="MsoNormal" style="border:none;padding:0cm"><u></u> <u></u></p></div><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Sep 29 14:07:15 p14425dev022 Table: IMP-386: ORACLE error 386 encountered < Ok, first line transformed into syslog messages<u></u><u></u></p><p class="MsoNormal">ORA-01017: invalid username/password; logon deniedUsername:<u></u><u></u></p><p class="MsoNormal">Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production<u></u><u></u></p><p class="MsoNormal">With the Partitioning, OLAP and Data Mining options<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Export file created by EXPORT:V10.02.01 via conventional path<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Warning: the objects were exported by FALCON, not by you<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">import done in WE8ISO8859P1 character set and AL16UTF16 NCHAR character<u></u><u></u></p><p class="MsoNormal">Sep 29 14:07:26 p14425dev022 Table: IMP-00034: Warning: FromUser "FALBOS" not found in export file<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">_____________________<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">The snag is, the lines after the first line in the input aren’t concatenated, but are rather individual lines, with an LF.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">So I’m doing something wrong. <u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">With this source;<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">source s_table { file("/path to Table.log " flags(no-multi-line) flags(no-parse) program_override("<u></u><u></u></p><p class="MsoNormal">Table") default-facility(local5) default-priority(info)); };<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I can get every line of input to transform into a syslog message. Not much use though!<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Can anyone provide a pointer as to what I’m doing wonky?<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Thanks<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Brendan<u></u><u></u></p></div><br><p>Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1
1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank
plc. Registered Office: 25 Gresham Street, London EC2V 7HN.
Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of
Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in
Scotland no. SC327000. Telephone: 03457 801 801. Cheltenham &
Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered
in England and Wales 2299428. Telephone: 0345 603 1637</p>
<p>Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential
Regulation Authority and regulated by the Financial Conduct Authority and
Prudential Regulation Authority.</p>
<p>Cheltenham & Gloucester plc is authorised and regulated by the Financial
Conduct Authority.</p>
<p>Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester
Savings is a division of Lloyds Bank plc.</p>
<p>HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in
Scotland no. SC218813.</p>
<p>This e-mail (including any attachments) is private and confidential and may
contain privileged material. If you have received this e-mail in error, please
notify the sender and delete it (including any attachments) immediately. You
must not copy, distribute, disclose or use any of the information in it or any
attachments. Telephone calls may be monitored or recorded.</p>
</div><br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div>