Dear Satish, multiline is supported in open source version of syslog-ng, as bazsi wrote. To glue the lines together, into one line you can do one of two things. First, configure syslog-ng not to break messages into separate lines, by disabling native multiline support. Second, define a pattern that identifies the beginning of a new line. I encourage you to read the manual prior to engaging entire list to solve your issue, which is clearly not an issue with the way code is written. Thanks. Y. This is my source declaration and i have put flags which you have mentioned. source s_tomcat { syslog( transport("udp") flags(indent-multi-line)); }; I got following error when i am trying to put flags Error parsing afsocket, Unknown flag indent-multi-line in /usr/local/syslog-ng-3.4.2/etc/syslog-ng.conf at line 54, column 33: syslog( transport("udp") flags(indent-multi-line) ); On Thu, Jul 11, 2013 at 10:22 AM, <syslog-ng-request@lists.balabit.hu>wrote:
Send syslog-ng mailing list submissions to syslog-ng@lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit https://lists.balabit.hu/mailman/listinfo/syslog-ng or, via email, send a message with subject or body 'help' to syslog-ng-request@lists.balabit.hu
You can reach the person managing the list at syslog-ng-owner@lists.balabit.hu
When replying, please edit your Subject line so it is more specific than "Re: Contents of syslog-ng digest..."
Today's Topics:
1. Re: Multi-line support issue (Balazs Scheidler) 2. Re: Multi-line support issue (Satish Patel)
----------------------------------------------------------------------
Message: 1 Date: Thu, 11 Jul 2013 13:53:56 +0200 From: Balazs Scheidler <bazsi@balabit.hu> Subject: Re: [syslog-ng] Multi-line support issue To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Message-ID: <1373543636.3171.17.camel@bzorp> Content-Type: text/plain; charset="UTF-8"
I can't see the source declaration, it must be something along the lines of:
source s_tomcat { file("/var/log/tomcat/xxx.log" flags(indent-multi-line)); };
On Wed, 2013-07-10 at 12:54 -0400, Satish Patel wrote:
Hi Balazs,
what is your thought about my config? did you see?
On Mon, Jul 8, 2013 at 12:30 PM, Satish Patel <satish.txt@gmail.com> wrote: This is what i have configured and no luck with it.. can you suggest what i am missing?
destination d02_tc74_log { file("/logs/server1/tomcat7.4/catalina_$YEAR$MONTH$DAY.log" template("$(indent-multi-line ${MESSAGE})\n") template(t_tomcatlog) owner("root") group("root") perm(0644) dir_perm(0755) create_dirs(yes)); }; filter server1 { host("server1.example.com") }; log { source (s_tomcat); filter (server1); filter (tomcat7_4); destination (d02_tc74_log); };
On Mon, Jul 8, 2013 at 12:08 PM, Satish Patel <satish.txt@gmail.com> wrote: How do i use indented-multi-line ? I meant where do i configure it? I tried but my syslog-ng doesn't recognizing this option i have syslog-ng 3.3.7 could you give me example where and how do i check whether it is supported or not
On Sat, Jul 6, 2013 at 2:12 AM, Balazs Scheidler <bazsi77@gmail.com> wrote: This looks.like the format that should be supported by indented-multi-line
On Jul 5, 2013 9:33 PM, "Satish Patel" <satish.txt@gmail.com> wrote: Here is my tomcat catalina.out log file sample. See there is a tab space in logs
2013-06-27 05:30:00,065 [EDISN-Scheduler_Worker-2] ERROR com.example.edisn.sftp.SftpSession - Exception attempting to work with an SFTP Session: connection is closed by foreign host 2013-06-27 05:30:00,066 [EDISN-Scheduler_Worker-2] ERROR org.quartz.core.JobRunShell - Job EDISN.CTMS_Upload threw an unhandled Exception: com.example.edisn.EdisnRuntimeException: Exception attempting to work with an SFTP Session: connection is closed by foreign host at
com.example.edisn.sftp.SftpSession.doSession(SftpSession.java:64)
at
com.example.edisn.EdisnSession.exec(EdisnSession.java:13)
at
com.example.ctms.CtmsScheduledJob.executeInternal(CtmsScheduledJob.java:27)
at
org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86)
at
org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool
$WorkerThread.run(SimpleThreadPool.java:525)
Caused by: com.jcraft.jsch.JSchException: connection is closed by foreign host at com.jcraft.jsch.Session.connect(Unknown
Source)
at com.jcraft.jsch.Session.connect(Unknown
Source)
at
com.example.edisn.sftp.SftpSession.doSession(SftpSession.java:45)
... 5 more
On Fri, Jul 5, 2013 at 3:27 PM, Balazs Scheidler <bazsi77@gmail.com> wrote: No, I implemented a different multiline style support first (that is not in pe), where continuation lines are indicated by indentation, like mime.
Iirc tomcat has this kind of log file. Can you show a sample log entry?
The infrastructure for multiline-prefix is also there but not added yet.
Let me see the sample, I'll tell if the current solution works or not.
On Jul 5, 2013 8:24 PM, "Satish Patel" <satish.txt@gmail.com> wrote: Thanks for reply Balazs,
You mean say this feature is available in Open Source Edition (OSE) 3.4? Once after specifying flag "indented-multi-line" i can use multi-line-prefix?
On Fri, Jul 5, 2013 at 1:26 PM, Balazs Scheidler <bazsi77@gmail.com> wrote: You have found the PE documentation but I have already ported this to the OSE tree and has been released as part of 3.4.
You have to specify
indented-multi-line as a flag to the file source.
On Jul 5, 2013 6:28 PM, "Satish Patel" <
satish.txt@gmail.com> wrote:
We have tomcat shop and at everyone
know tomcat has a java call trace in logs with tab space but syslog-ng doesn't know about it and printing lines as a new line. I have read here syslog-ng 3.x does support multi-line logs http://www.balabit.com/sites/default/files/documents/syslog-ng-pe-4.0-guides...
But does this feature
available in Open Source syslog-ng? If yes then why its not working for me?
______________________________________________________________________________
Member info:
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ:
http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________
Member info:
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ:
http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________
Member info:
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ:
http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________
Member info:
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ:
http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________
Member info:
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ:
http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________
Member info:
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
------------------------------
Message: 2 Date: Thu, 11 Jul 2013 10:22:45 -0400 From: Satish Patel <satish.txt@gmail.com> Subject: Re: [syslog-ng] Multi-line support issue To: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Message-ID: <CAPgF-fpPdRswwj2HNUXAxfgRekHVhwwF6O= 7N39q9mfggN-nUQ@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1"
This is my source declaration and i have put flags which you have mentioned.
source s_tomcat { syslog( transport("udp") flags(indent-multi-line)); };
I got following error when i am trying to put flags
Error parsing afsocket, Unknown flag indent-multi-line in /usr/local/syslog-ng-3.4.2/etc/syslog-ng.conf at line 54, column 33:
syslog( transport("udp") flags(indent-multi-line) ); ^^^^^^^^^^^^^^^^^
On Thu, Jul 11, 2013 at 7:53 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
I can't see the source declaration, it must be something along the lines of:
source s_tomcat { file("/var/log/tomcat/xxx.log" flags(indent-multi-line)); };
On Wed, 2013-07-10 at 12:54 -0400, Satish Patel wrote:
Hi Balazs,
what is your thought about my config? did you see?
On Mon, Jul 8, 2013 at 12:30 PM, Satish Patel <satish.txt@gmail.com> wrote: This is what i have configured and no luck with it.. can you suggest what i am missing?
destination d02_tc74_log { file("/logs/server1/tomcat7.4/catalina_$YEAR$MONTH$DAY.log" template("$(indent-multi-line ${MESSAGE})\n") template(t_tomcatlog) owner("root") group("root") perm(0644) dir_perm(0755) create_dirs(yes)); }; filter server1 { host("server1.example.com") }; log { source (s_tomcat); filter (server1); filter (tomcat7_4); destination (d02_tc74_log); };
On Mon, Jul 8, 2013 at 12:08 PM, Satish Patel <satish.txt@gmail.com> wrote: How do i use indented-multi-line ? I meant where do i configure it? I tried but my syslog-ng doesn't recognizing this option i have syslog-ng 3.3.7 could you give me example where and how do i check whether it is supported or not
On Sat, Jul 6, 2013 at 2:12 AM, Balazs Scheidler <bazsi77@gmail.com> wrote: This looks.like the format that should be supported by indented-multi-line
On Jul 5, 2013 9:33 PM, "Satish Patel" <satish.txt@gmail.com> wrote: Here is my tomcat catalina.out log file sample. See there is a tab space in logs
2013-06-27 05:30:00,065 [EDISN-Scheduler_Worker-2] ERROR com.example.edisn.sftp.SftpSession - Exception attempting to work with an SFTP Session: connection is closed by foreign host 2013-06-27 05:30:00,066 [EDISN-Scheduler_Worker-2] ERROR org.quartz.core.JobRunShell - Job EDISN.CTMS_Upload threw an unhandled Exception:
com.example.edisn.EdisnRuntimeException:
Exception attempting to work with an SFTP Session: connection is closed by foreign host
at
com.example.edisn.sftp.SftpSession.doSession(SftpSession.java:64)
at
com.example.edisn.EdisnSession.exec(EdisnSession.java:13)
at
com.example.ctms.CtmsScheduledJob.executeInternal(CtmsScheduledJob.java:27)
at
org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86)
at
org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool
$WorkerThread.run(SimpleThreadPool.java:525)
Caused by: com.jcraft.jsch.JSchException: connection is closed by foreign host at com.jcraft.jsch.Session.connect(Unknown
Source)
at com.jcraft.jsch.Session.connect(Unknown
Source)
at
com.example.edisn.sftp.SftpSession.doSession(SftpSession.java:45)
... 5 more
On Fri, Jul 5, 2013 at 3:27 PM, Balazs Scheidler <bazsi77@gmail.com> wrote: No, I implemented a different multiline style support first (that is not in pe), where continuation lines are indicated by indentation, like mime.
Iirc tomcat has this kind of log file. Can you show a sample log entry?
The infrastructure for multiline-prefix is also there but not added yet.
Let me see the sample, I'll tell if the current solution works or not.
On Jul 5, 2013 8:24 PM, "Satish Patel" <satish.txt@gmail.com> wrote: Thanks for reply Balazs,
You mean say this feature is available in Open Source Edition (OSE) 3.4? Once after specifying flag "indented-multi-line" i can use multi-line-prefix?
On Fri, Jul 5, 2013 at 1:26 PM, Balazs Scheidler <bazsi77@gmail.com> wrote: You have found the PE documentation but I have already ported this to the OSE tree and has been released as part of 3.4.
You have to specify
indented-multi-line as a flag to the file source.
On Jul 5, 2013 6:28 PM, "Satish Patel" <
satish.txt@gmail.com> wrote:
We have tomcat shop and at
everyone know tomcat has a java call trace in logs with tab space but syslog-ng doesn't know about it and printing lines as a new line. I have read here syslog-ng 3.x does support multi-line logs
http://www.balabit.com/sites/default/files/documents/syslog-ng-pe-4.0-guides...
But does this feature
available in Open Source syslog-ng? If yes then why its not working for me?
______________________________________________________________________________
Member info:
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ:
______________________________________________________________________________
Member info:
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ:
______________________________________________________________________________
Member info:
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ:
______________________________________________________________________________
Member info:
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ:
______________________________________________________________________________
Member info:
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ:
______________________________________________________________________________
Member info:
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq