<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Is there a line break anywhere in the
log file?</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">If yes</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">1. is the line break in the middle of a
syslog line from this device?</div>
<div class="moz-cite-prefix">2. is the line break at the maximum
message size?</div>
<div class="moz-cite-prefix">3. is the line break at the end of a
log message from a different device that is logging to the same
s_xxx_xxx source?</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">What I am wondering is that the source
of the log messages is logging the exact same stream of data to
the TCP port that it would have over the UDP port (which would be
an error). UDP messages are not terminated with a new line, while
the TCP messages are. If that were the case then syslog-ng would
never see multiple messages, and would write a continuous stream
on a single line until it reached the maximum message length, or
it logged a correctly terminated message from a different device.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Evan.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 2023-02-02 05:55, Dragan Zecevic
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:PAXPR01MB1019235401BD51DF9EDCC1DA0F7D69@PAXPR01MB10192.eurprd01.prod.exchangelabs.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<br>
<div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof">
Hi Balazs,</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof">
this is how the whole config snippet looks like:</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof ContentPasted0">
source s_xxx_xxx {
<div class="ContentPasted0"> network(</div>
<div class="ContentPasted0"> ip(0.0.0.0)</div>
<div class="ContentPasted0"> transport(tcp)</div>
<div class="ContentPasted0"> port(xxxx)</div>
<div class="ContentPasted0">
flags(store-raw-message)</div>
<div class="ContentPasted0"> );</div>
<div class="ContentPasted0">};</div>
<div><br class="ContentPasted0">
</div>
<div><br class="ContentPasted0">
</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">filter filter_xxx_xxx {</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0"> host("xxx") or
host("xxx") ...;</div>
<div class="ContentPasted0">};</div>
<div><br class="ContentPasted0">
</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">destination folder_xxx_xxx {</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0"> file(</div>
<div class="ContentPasted0">
"/xxx/.../xxx/${R_YEAR}${R_MONTH}${R_DAY}/${SOURCEIP}_${HOST}_${R_HOUR}.log"</div>
<div class="ContentPasted0">
template("${RAWMSG}\n")</div>
<div class="ContentPasted0">
dir-group(xxx)</div>
<div class="ContentPasted0">
dir-perm(xxx)</div>
<div class="ContentPasted0"> group(xxx)</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0"> );</div>
<div class="ContentPasted0">};</div>
<div><br class="ContentPasted0">
</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">log {</div>
<div class="ContentPasted0"> source(s_xxx_xxx);
filter(filter_xxx_xxx); destination(folder_xxx_xxx);</div>
};<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof ContentPasted0">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof ContentPasted0">
Sorry for the xxx but I can't export real parameters in
conversation like this. Also, I can't provide some pcap or
tcpdump.</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof ContentPasted0">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof ContentPasted0">
I restarted syslog-ng multiple times because I also added some
other sources and there were no error messages. And this is
the only part of the configuration where either this
destination or folder are used.</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof ContentPasted0">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof ContentPasted0">
I hope this info is helpful.</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof ContentPasted0">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof ContentPasted0">
Thanks,
<div>Dragan</div>
</div>
<div class="elementToProof">
<div id="Signature"><br>
</div>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b>
syslog-ng <a class="moz-txt-link-rfc2396E" href="mailto:syslog-ng-bounces@lists.balabit.hu"><syslog-ng-bounces@lists.balabit.hu></a> on
behalf of Balazs Scheidler <a class="moz-txt-link-rfc2396E" href="mailto:bazsi77@gmail.com"><bazsi77@gmail.com></a><br>
<b>Sent:</b> Tuesday, January 31, 2023 9:18 PM<br>
<b>To:</b> Syslog-ng users' and developers' mailing list
<a class="moz-txt-link-rfc2396E" href="mailto:syslog-ng@lists.balabit.hu"><syslog-ng@lists.balabit.hu></a><br>
<b>Subject:</b> Re: [syslog-ng] Syslog messages not stored
in separate lines</font>
<div> </div>
</div>
<div>
<div dir="auto">
<div>If there's an initialization error with a config at
reloading, syslog-ng can fall back to the old one. Can
this happen? Or two destinations writing the same file?</div>
<div dir="auto"><br>
</div>
<div dir="auto">If the problem persists, can you create
minimal example with complete with config and sample
message that you send and which reproduces the issue?</div>
<div dir="auto"><br>
</div>
<div dir="auto">Thanks<br>
<br>
<div class="x_gmail_quote" dir="auto">
<div dir="ltr" class="x_gmail_attr">On Tue, Jan 31,
2023, 20:44 Dragan Zecevic <<a
href="mailto:dragan.zecevic@live.com"
moz-do-not-send="true" class="moz-txt-link-freetext">dragan.zecevic@live.com</a>>
wrote:<br>
</div>
<blockquote class="x_gmail_quote" style="margin:0 0 0
.8ex; border-left:1px #ccc solid; padding-left:1ex">
<div dir="ltr">
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)">
<br>
</div>
<div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
Hi Balazs,</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
thank you for your reply.</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
Yes, I used config like this for other sources
as well and restarted syslog-ng service.</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
I don't get it why it doesn't work in this case.
I was thinking it is up to the input.</div>
<div id="x_m_4134358523529882524Signature"><br>
</div>
</div>
<hr style="display:inline-block; width:98%">
<div id="x_m_4134358523529882524divRplyFwdMsg"
dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b>
syslog-ng <<a
href="mailto:syslog-ng-bounces@lists.balabit.hu"
target="_blank" rel="noreferrer"
moz-do-not-send="true"
class="moz-txt-link-freetext">syslog-ng-bounces@lists.balabit.hu</a>>
on behalf of Balazs Scheidler <<a
href="mailto:bazsi77@gmail.com"
target="_blank" rel="noreferrer"
moz-do-not-send="true"
class="moz-txt-link-freetext">bazsi77@gmail.com</a>><br>
<b>Sent:</b> Monday, January 30, 2023 6:48 AM<br>
<b>To:</b> Syslog-ng users' and developers'
mailing list <<a
href="mailto:syslog-ng@lists.balabit.hu"
target="_blank" rel="noreferrer"
moz-do-not-send="true"
class="moz-txt-link-freetext">syslog-ng@lists.balabit.hu</a>><br>
<b>Subject:</b> Re: [syslog-ng] Syslog messages
not stored in separate lines</font>
<div> </div>
</div>
<div>
<div dir="auto">
<div>This would be very strange indeed as the
template of your file destination includes a
newline character at the end of every message,
so it should not depend on the input.</div>
<div dir="auto"><br>
</div>
<div dir="auto">You sure that this is the
destination config that you quote here? Did
you reload syslog-ng to use that config?<br>
<br>
<div dir="auto">
<div dir="ltr">On Sun, Jan 29, 2023, 13:55
Dragan Zecevic <<a
href="mailto:dragan.zecevic@live.com"
target="_blank" rel="noreferrer"
moz-do-not-send="true"
class="moz-txt-link-freetext">dragan.zecevic@live.com</a>>
wrote:<br>
</div>
<blockquote style="margin:0 0 0 .8ex;
border-left:1px #ccc solid;
padding-left:1ex">
<div dir="ltr">
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)">
<br>
</div>
<div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
Hi,</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
I am collecting logs from a network
device. They configured syslog
format on their source side to be
RFC3164.</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
On syslog-ng side I am using source
and destination like this:</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
source s_xxx {
<div> network(</div>
<div> ip(0.0.0.0)</div>
<div> transport(tcp)</div>
<div> port(xxx)</div>
<div>
flags(store-raw-message)</div>
<div> );</div>
<div>};</div>
<div><br>
</div>
<div><br>
</div>
<div>destination folder_xxx {</div>
<div><br>
</div>
<div> file(</div>
<div>
"/xxx/${R_YEAR}${R_MONTH}${R_DAY}/${SOURCEIP}_${HOST}_${R_HOUR}.log"</div>
<div>
template("${RAWMSG}\n")</div>
<div> );</div>
};</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
syslog-ng version 3.34</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
CentOS Linux release 7.9.2009</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
The problem is that syslog messages
are stored in raw format but not
separated in different line. Parity
bit of new message starts
imidiatelly after previous line
-without space or enter.</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
I have the same config for some
other hosts and there log files are
created with separate lines. Vendor
says they can't change anything on
source side.</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
Do you have any idea what is the
cause of this?</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
Thank you.</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
Br,</div>
<div
style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
Dragan</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>