<div dir="ltr"><div><div><div><div><div><div><div><div><div><div>Dear Brendan,<br><br></div>Please be aware that under normal circumstances when following the standard support process, your questions/problems should be forwarder to <span class="gmail-" id="gmail-:3a3.1" tabindex="-1">BalaBit's</span> partner, who is providing end-user support for you and your organization.<br></div><br></div>With that being said, I think that:<br>- the multi-line-prefix() option looks okay in your config<br></div>- is there any specific reason you have set the multi-line-garbage() option? It simply throws away everything between the garbage, and the next prefix regex pattern.<br></div>- I would check the file format of the Oracle logs, whether they have UNIX or Windows-style line endings. (CRLFs or plain LFs)<br></div>- the no-multi-line flag looks okay in your config, it should flatten the logs read in, to one-line messages<br><br></div>Also, the 5.0.6b is a rather old version. Currently we are at 5.0.14 with the 5.0 LTS line of syslog-ng PE.<br></div>Do you have the possibility to test the behavior of the latest release? I tried to check our internal bug-tracker, but failed to find any relevant bugs to this case.<br><br></div>Thank You!<br><br></div><div>Best Regards,<br></div><div>János Szigetvári<div><div><div><div><div><div><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">Janos SZIGETVARI<br><span>RHCE, License no. <a href="https://www.redhat.com/rhtapps/verify/?certId=150-053-692" target="_blank">150-053-692</a></span><br><br>__@__˚V˚<br>Make the switch to open (source) applications, protocols, formats now:<br>- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice<br>- msn -> jabber protocol (Pidgin, Google Talk)<br>- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp</div></div></div></div></div></div></div></div></div></div></div></div></div></div><br></div></div></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-09-29 16:04 GMT+02:00 Newport, Brendan (Contractor - Security Operations - Development & Support) <span dir="ltr"><<a href="mailto:Brendan.Newport@lloydsbanking.com" target="_blank">Brendan.Newport@lloydsbanking.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-GB"><div><p class="MsoNormal"><b><span style="font-family:"calibri","sans-serif"">Classification: <span style="color:rgb(51,204,0)">Public</span></span></b><br><br><u></u><u></u></p><p class="MsoNormal">Hi!<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">My first posting on the mailing list.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I’ve run into a snag trying to get multiline logs concatenated onto one line and written as syslog-format messages.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Actually the second part is working fine; I can get the first line identified and incorporated into a syslog message, but all subsequent lines aren’t included.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Just for testing I’ve some simple input;<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">‘IMP-386: ORACLE error 386 encountered<u></u><u></u></p><p class="MsoNormal">ORA-01017: invalid username/password; logon deniedUsername:<u></u><u></u></p><p class="MsoNormal">Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production<u></u><u></u></p><p class="MsoNormal">With the Partitioning, OLAP and Data Mining options<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Export file created by EXPORT:V10.02.01 via conventional path<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Warning: the objects were exported by FALCON, not by you<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">import done in WE8ISO8859P1 character set and AL16UTF16 NCHAR character set<u></u><u></u></p><p class="MsoNormal">IMP-00034: Warning: FromUser "FALBOS" not found in export file’<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">What I’m aiming to do is log only the Oracle errors, commencing at the string ‘IMP’ and ending only when the next line is found with ‘IMP’ (this log only sees errors)<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">So in syslog-ng.conf (version 5.0.6b PE) <u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">source s_table { file("/path to Table.log" multi-line-prefix("IMP") multi-line-garbage("set$") flags(no-p<u></u><u></u></p><p class="MsoNormal">arse) flags(no-multi-line) program_override("Table") default-facility(local5) default-priority(info)); };<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Just to try to get things working, I’ve hard-coded the final string present in my sample input - ‘set’<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">The output is scheduled to go off-server, but for the moment I want to see the transformed messages in their own file;<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">destination d_table { file("/auditsox/table.log"); };<u></u><u></u></p><p class="MsoNormal">log { source(s_table); destination(d_table); };<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">What I get from the above (in d_table) is;<u></u><u></u></p><div style="border-width:medium medium 1.5pt;border-style:none none solid;border-color:-moz-use-text-color -moz-use-text-color windowtext;padding:0cm 0cm 1pt"><p class="MsoNormal" style="border-width:medium;border-style:none;border-color:-moz-use-text-color;padding:0cm"><u></u> <u></u></p></div><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Sep 29 14:07:15 p14425dev022 Table: IMP-386: ORACLE error 386 encountered < Ok, first line transformed into syslog messages<u></u><u></u></p><p class="MsoNormal">ORA-01017: invalid username/password; logon deniedUsername:<u></u><u></u></p><p class="MsoNormal">Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production<u></u><u></u></p><p class="MsoNormal">With the Partitioning, OLAP and Data Mining options<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Export file created by EXPORT:V10.02.01 via conventional path<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Warning: the objects were exported by FALCON, not by you<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">import done in WE8ISO8859P1 character set and AL16UTF16 NCHAR character<u></u><u></u></p><p class="MsoNormal">Sep 29 14:07:26 p14425dev022 Table: IMP-00034: Warning: FromUser "FALBOS" not found in export file<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">_____________________<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">The snag is, the lines after the first line in the input aren’t concatenated, but are rather individual lines, with an LF.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">So I’m doing something wrong. <u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">With this source;<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">source s_table { file("/path to Table.log " flags(no-multi-line) flags(no-parse) program_override("<u></u><u></u></p><p class="MsoNormal">Table") default-facility(local5) default-priority(info)); };<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I can get every line of input to transform into a syslog message. Not much use though!<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Can anyone provide a pointer as to what I’m doing wonky?<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Thanks<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Brendan<u></u><u></u></p></div><br><p>Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1
1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank
plc. Registered Office: 25 Gresham Street, London EC2V 7HN.
Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of
Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in
Scotland no. SC327000. Telephone: 03457 801 801. Cheltenham &
Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered
in England and Wales 2299428. Telephone: 0345 603 1637</p>
<p>Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential
Regulation Authority and regulated by the Financial Conduct Authority and
Prudential Regulation Authority.</p>
<p>Cheltenham & Gloucester plc is authorised and regulated by the Financial
Conduct Authority.</p>
<p>Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester
Savings is a division of Lloyds Bank plc.</p>
<p>HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in
Scotland no. SC218813.</p>
<p>This e-mail (including any attachments) is private and confidential and may
contain privileged material. If you have received this e-mail in error, please
notify the sender and delete it (including any attachments) immediately. You
must not copy, distribute, disclose or use any of the information in it or any
attachments. Telephone calls may be monitored or recorded.</p>
</div><br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div></div>