Hi , Thanks for your response. Modifying the transport unix-dgram fixes my issue.The logs are no longer getting truncated after \n.However,just wanted to clarify would changing the unix logging facility affect the remote logging or traffic in any way.I am using UDP ports for logging into remote. Thanks & Regards Swati ----- Original Message ----- From: "Balazs Scheidler" <bazsi@balabit.hu> To: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Sent: Thursday, November 10, 2011 1:59:51 AM Subject: Re: [syslog-ng] Logs after "\n" are getting truncated On Tue, 2011-11-08 at 15:02 +0100, Gergely Nagy wrote:
Swati4 M/TVM/TCS <swati4.m@tcs.com> writes:
Hi All,
When logging multiline messages (simple strings with in-line newlines "\n") our logs only show the first line (ie) before "\n" is encountered and rest of the line after the first newline character("\n") is truncated.
The main issue is that the syslog protocol is line-oriented: each line should be prefixed with a syslog-style header. Your logging function doesn't do that, I believe.
This results in syslog-ng not being able to parse the second line.
There are a few options I can think of: one is to modify your application to send each line as a separate log message (but then they'll appear as separate logs on the output aswell, so this might not be a desirable option).
Another option would be to modify your application to NOT send a syslog message header at all, and use flags(no-parse) on the syslog-ng source side, and a custom parser, if you want to turn the message into something syslog-like.
A third option would be to use an intermediate relay (a script, perhaps) that does some heuristics to discover where a message starts, and strips newlines until it finds another message, then sends the previous over to syslog-ng.
The third would be the easiest, but probably the least performant too. It's the only one that doesn't need changes on the application side, though.
There might be other options aswell, but these are the ones I could think of quickly.
Are you using the syslog() API to fire off this event with an embedded NL in it? Or HS_MAP_INFO_LOG() writes messages to a logfile and then you are tailing that with syslog-ng? If the first, then using unix-dgram() as the local log transport may help you get the NLs inside syslog-ng. In that case each and every datagram sent to /dev/log will be logged as a separate message, even if it contains NLs. unix-stream() doesn't work as in unix-stream NL is used as the record terminator. -- Bazsi ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you