<HTML xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<HEAD><!-- Template generated by Exclaimer Template Editor on 10:48:02 Friday, 30 September 2016 -->
<STYLE type=text/css>P.079339b3-6d2d-43d5-b908-92a80a1d1f85 {
MARGIN: 0cm 0cm 0pt
}
LI.079339b3-6d2d-43d5-b908-92a80a1d1f85 {
MARGIN: 0cm 0cm 0pt
}
DIV.079339b3-6d2d-43d5-b908-92a80a1d1f85 {
MARGIN: 0cm 0cm 0pt
}
TABLE.079339b3-6d2d-43d5-b908-92a80a1d1f85Table {
MARGIN: 0cm 0cm 0pt
}
DIV.Section1 {
page: Section1
}
</STYLE>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
<meta name="Generator" content="Microsoft Word 14 (filtered medium)" />
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</HEAD>
<BODY lang="EN-US" link="blue" vlink="purple">
<P>
<div class="WordSection1">
<p class="MsoNormal"><span style=color:#1F497D>Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style=color:#1F497D><o:p> </o:p></span></p>
<p class="MsoNormal"><span style=color:#1F497D>I’m not quite sure if it still relevant, but the Administration guide of Syslog-ng PE 6 show the following for the flags(no-multi-line):<o:p></o:p></span></p>
<p class="MsoNormal"><span style=color:#1F497D><o:p> </o:p></span></p>
<p class="MsoNormal"><span style=color:#1F497D>“Note that this happens only if the underlying transport method actually supports multi-line messages. Currently the rltp, syslog(), network(), unix-dgram() drivers support multi-line messages”<o:p></o:p></span></p>
<p class="MsoNormal"><span style=color:#1F497D><o:p> </o:p></span></p>
<p class="MsoNormal"><span style=color:#1F497D><a href="https://www.balabit.com/documents/syslog-ng-pe-latest-guides/en/syslog-ng-pe-guide-admin/html/reference-source-syslog-chapter.html#idp5523888">https://www.balabit.com/documents/syslog-ng-pe-latest-guides/en/syslog-ng-pe-guide-admin/html/reference-source-syslog-chapter.html#idp5523888</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style=color:#1F497D><o:p> </o:p></span></p>
<p class="MsoNormal"><span style=color:#1F497D>I do not know if it would like to refer to the source or the destination either. But I think it should be ironed out in the BalaBit side, because if I remember correctly the file source does support multi-line
messages. But if it talks about the destination drivers (in which case I think it should be articulated better), that can explain why it not worked for file destination and why it working for udp.<o:p></o:p></span></p>
<p class="MsoNormal"><span style=color:#1F497D><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style=font-size:10.0pt;font-family:"Tahoma","sans-serif">From:</span></b><span style=font-size:10.0pt;font-family:"Tahoma","sans-serif"> syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu]
<b>On Behalf Of </b>Newport, Brendan (Contractor - Security Operations - Development & Support)<br />
<b>Sent:</b> Friday, September 30, 2016 4:35 PM<br />
<b>To:</b> syslog-ng@lists.balabit.hu<br />
<b>Subject:</b> [syslog-ng] Converting multiline text input to concatanated single-line syslog format<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style=margin-bottom:12.0pt><strong><span lang="EN-GB" style=font-family:"Calibri","sans-serif">Classification:
<span style=color:#33CC00>Public</span></span></strong><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Ha!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">I think I might have been trying to achieve the impossible – getting syslog-ng to covert multiline log messages into concatenated syslog messages.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">That doesn’t appear to work. But I defined syslogd instance to direct local5.info messatges received from my syslog-ng client into a log file and all works fine!
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">more local5.log<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Sep 30 14:45:35 <hostname> local5:info <hostname> Table: IMP-386: ORACLE error 386 encountered ORA-01017: invalid username/passwo<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">rd; logon deniedUsername: Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Sep 30 14:45:35 <hostname> local5:info <hostname> Table: IMP-00034: Warning: FromUser "FALBOS" not found in export file With the P<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">artitioning, OLAP and Data Mining options Export file created by EXPORT:V10.02.01 via conventional path<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Sep 30 14:45:35 <hostname> local5:info <hostname> Table: IMP-386: ORACLE error 386 encountered Warning: the objects were exported<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">by FALCON, not by you import done in WE8ISO8859P1 character set and AL16UTF16 NCHAR character set<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Using this config is syslog-ng.conf;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">source s_table { file("<path to input multi-line log file>" multi-line-prefix("IMP") flags(no-parse) flags(no-multi-line)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">program_override("Table") default-facility(local5) default-priority(info)); };<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">filter f_local5_info { facility(local5) and level(info); };<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">and with the destination defined as a udp IP address to port 514;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">log { source(s_table); filter(f_local5_info); destination(d_syslog_udp); };<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">As the desire is to get multiline non-syslog logs off-host to Qradar as syslog messages, that’s the POC passed fine!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<p><span lang="EN-GB">Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and
Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 03457 801 801. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered
in England and Wales 2299428. Telephone: 0345 603 1637<o:p></o:p></span></p>
<p><span lang="EN-GB">Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.<o:p></o:p></span></p>
<p><span lang="EN-GB">Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.<o:p></o:p></span></p>
<p><span lang="EN-GB">Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.<o:p></o:p></span></p>
<p><span lang="EN-GB">HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813.<o:p></o:p></span></p>
<p><span lang="EN-GB">This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must
not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded.<o:p></o:p></span></p>
</div>
</div>
<BR /><BR />
<HR id=HR1 />
<BR /><SPAN style="FONT-SIZE: 7.5pt; FONT-FAMILY: Arial; COLOR: #808080">NOTICE:
Morgan Stanley is not acting as a municipal advisor and the opinions or views
contained herein are not intended to be, and do not constitute, advice within
the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer
Protection Act. If you have received this communication in error, please destroy
all electronic and paper copies and notify the sender immediately.
Mistransmission is not intended to waive confidentiality or privilege. Morgan
Stanley reserves the right, to the extent permitted under applicable law, to
monitor electronic communications. This message is subject to terms available at
the following link: http://www.morganstanley.com/disclaimers If you cannot
access these links, please notify us by reply message and we will send the
contents to you. By communicating with Morgan Stanley you consent to the
foregoing and to the voice recording of conversations with personnel of Morgan
Stanley.</SPAN><BR />
<P></P>
<P></P>
<P></P>
<P></P></P></BODY>
</HTML>