How do you create a filter for ^M and other control characters? Matthew. On Mon, Oct 11, 2010 at 04:27:59PM -0600, Patrick H. wrote:
What you might try is to create a filter that takes all incoming data on the tcp socket, replaces ^M with \n, and then pipes it back into another source driver (socket, pipe, whatever) for syslog-ng to process again, but without the filter expression (^M is probably \r as thats what most editors will display \r as). I'm not sure if that'll work, but I think it should.
-Patrick
Sent: Mon Oct 11 2010 15:48:53 GMT-0600 (Mountain Daylight Time) From: Lee, Steve <steve.lee@emory.edu> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Multiple syslog messages in one tcp packet
I’ve got a Windows syslog client (from Q1 Labs) that wants to send multiple syslog messages within a single tcp packet to syslog-ng. The messages file on the syslog-ng side looks like this (Note the “^M<13>” separating the individual messages):
[user] [notice] Oct 11 16:25:05 10.40.3.16 10.40.3.16 ation_logfile.txt Payload=server.Emory.Edu, The Operations Manager agent processes are using too much processor time SEVERITY:2 STATE: New; Custom Oct 11 15:15:58^M<13>Oct 11 15:17:58 server2.emory.edu AgentDevice=FileForwarder AgentLogFile=logfile.txt Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: New; StateCollection Oct 11 15:17:58^M<13>Oct 11 15:19:58 server2.emory.edu AgentDevice=FileForwarder AgentLogFile= logfile.txt Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: Closed; StateCollection Oct 11 15:19:58^M
Is it possible to configure syslog-ng to separate the messages out into individual ones like these?
[user] [notice] Oct 11 16:25:05 10.40.3.16 10.40.3.16 ation_logfile.txt Payload=server.Emory.Edu, The Operations Manager agent processes are using too much processor time SEVERITY:2 STATE: New; Custom Oct 11 15:15:58 [user] [notice] Oct 11 15:17:58 server2.emory.edu AgentDevice=FileForwarder AgentLogFile=logfile.txt Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: New; StateCollection Oct 11 15:17:58 [user] [notice] Oct 11 15:19:58 server2.emory.edu AgentDevice=FileForwarder AgentLogFile= logfile.txt Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: Closed; StateCollection Oct 11 15:19:58
I am using the syslog-ng ose client version 3.0.3.
Thanks.
Steve
------------- Steve Lee Technical Operations Center University Technology Services Emory University -------------
This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited.
If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html