I always dealt with the messages containing heinous characters (such as \t and \n) by running them through a rewrite rule to strip them out and replace them with ' ', then collecting them to an output file with this template. template t_raw { template("${MSGONLY}\n"); }; After that then you can just create the PatternDB based on the content of the file and you should be OK. Scarier question: how do you detect multiline log messages when the logs arrive over a TCP socket? :-) Matthew. On Thu, Oct 28, 2010 at 08:40:07PM +0200, Balazs Scheidler wrote:
On Thu, 2010-10-21 at 12:26 -0400, Lars Kellogg-Stedman wrote:
Interesting idea and of course doable, but then if there's indeed multiple spaces in the message, you get in trouble.
If you were to only give linebreaks special treatment -- so that "this\nthat" would become "this that" -- then you've probably solved both problems; messages can be wrapped for readability and you can still include arbitrary stretches of whitespace in the expression.
Hmm... and what about multi-line messages? sorry to raise one problem at a time, but this how they come to my scattered and distracted mind. (after returning from Netfilter Workshop where I spent my last week, this week is close to horrible :)
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html