<div dir="auto">Theres also grouping-by() for your usecase for aggregating multiple messages into a single one.<div dir="auto"><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mar 26, 2017 19:55, "Jim Hendrick" <<a href="mailto:james.r.hendrick@gmail.com">james.r.hendrick@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">It does if the source does (check the documentation for file() or syslog() options)<div><br></div><div>I also had a log source that sent related events in separate messages that were interleaved with other messages and ended up using the program() destination to send the logs to a custom handler I wrote.</div><div><br></div><div>Essentially I had multiple "keys" for incoming email messages that tied events together like:</div><div>- a single incoming SMTP session (potentially with multiple messages)</div><div>- a single message ID with multiple events about the message (recipients, attachments, anti-malware, etc)</div><div>- a single delivery connection (again with multiple messages)</div><div>- a single delivery message ID again with multiple events</div><div><br></div><div>The program parsed these in realtime incoming stream, building internal data structures (hash of hashes) and when it looked *complete* (including a timeout) for a particular thing it would send the data across as JSON to the destination (Elasticsearch in this case)</div><div><br></div><div>So - long answer to your question - Yes - in a few different ways :-)</div><div><br></div><div>Best,</div><div>Jim</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Mar 26, 2017 at 10:02 AM, Traiano Welcome <span dir="ltr"><<a href="mailto:traiano@gmail.com" target="_blank">traiano@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi <div><br></div><div> Does syslog-ng support multiline log messages?</div><div><br></div><div>Thanks,</div><div>Traiano </div></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=<wbr>syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div></div>