Not sure in this specific case - but I parsed some multi-line logs where the lines were not consecutive (i.e. related parts could come in anywhere in the stream) and I had to resort to a program() to handle them.

I wrote something to identify log messages by key "IDs" and store the data in a hash table until all the parts of the message were received (or a timer expired) and then sent them along to the SIEM.

Hope that might help.

Jim

On Fri, Aug 10, 2018 at 10:35 AM, Michael Thénault <michael.thenault@gmail.com> wrote:

Hello,

I have an Issue with syslog-ng 3.16.1 and multi-line logs.

I try to configure per-application filters using either the program
name or a facility.
The applications use the traditional syslog() from syslog.h.
When an application logs multiple lines, only the first line is filtered.
Indeed, the program name or facility is only applied to the first line.

Example :
$ logger -t testprog "line1
line2
line3"

$ cat /var/log/messages
2018-08-10T16:26:14.000000+02:00 testprog: line1
2018-08-10T16:26:14.899505+02:00 line2
2018-08-10T16:26:14.899505+02:00 line3

The log source is unix-stream("/dev/log" );

What can I do to fix this ?

Thanks in advance for your help.

Thanks & Regards,
Michael
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq