On Wed, 2011-09-14 at 17:48 -0700, Lance Laursen wrote:
On Thu, Sep 1, 2011 at 2:57 PM, <mike@lague.org> wrote: I'm using syslog-ng 3.0.5 (OSE).
I've noticed that if a multi-line message is sent by an application to syslog-ng via a unix-stream source, the first line is logged to the right destination, and the next line goes to a default destination. E.g., if a message like "Test message line 1\nTest message line 2\n" is sent, "Test message line 1" appears in the expected destination file, while "Error processing log message: Test message line 2" appears in the default destination.
This limitation (which does not exist with unix-dgram sources) seems to have been reported a number of times on various lists.
The root cause for this is that the record separator is the newline character, so the lines are different syslog records. And the 2nd line is lacking a proper syslog header, so syslog-ng prepends one there.
The feature comparison table at http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/... indicates that there is no support for multi-line messages in OSE 3.2, but there is such support in PE 4.0
That's right. In the last couple of days I was working with the PE team in-house on reviewing the patches the PE team did, among others the multi-line feature, but it is not yet integrated to the OSE tree. Our work-in-progress tree is published in git://git.balabit.hu/bazsi/syslog-ng-3.3.git "pe-rebase" branch. I hope to integrate most of it to the OSE tree.
Yet I thought a saw a message which indicated that there might be support for multi-line messages in an OSE release? Can someone confirm this?
Not in an official OSE release. The code is available in the git repo quoted above though.
Also, is there any way around this limitation in earlier OSE releases?
the use of unix-dgram() should help in your specific situation. -- Bazsi