The most important thing with multiline is the transport.

Udp can transmit multiline messages just as syslog(transport(tcp)) but of course the client has to support the same protocol.

What do you use on the solaris side?

If you haven't changed the client I don't see why the message would be truncated like that. Once received syslog-ng would only replace newlines with spaces.

So I guess it is a transport issue on the sending side. But tcpdump/wireshark should help a lot here.

On May 12, 2015 05:43, "Ray Van Dolson" <rvandolson@esri.com> wrote:
Admittedly haven't done enough searching or testing on this, but am
hoping someone might have a quick answer.

Recently moved from the 2.x verions to 3.2.5 (as part of EPEL on
RHEL6).  Have noticed that we're no longer getting the full messages
from some Solaris boxen using the tcp() and udp() source definitions.

Messages like this:

May 10 02:29:30 dev-zfs2 scsi: [ID 365881 kern.info] /pci@0,0/pci8086,3410@9/pci15d9,400@0 (mpt_sas0):
May 10 02:29:30 dev-zfs2        Log info 0x31080000 received for target 24.
May 10 02:29:30 dev-zfs2        scsi_status=0x0, ioc_status=0x804b, scsi_state=0x0

Come through looking like this:

May 10 02:29:30 dev-zfs2 scsi: [ID 365881 kern.info] /pci@0,0/pci8086,3410@9/pci15d9,400@0 (mpt_sas0):

(Only the initial line)

However, messages like this one:

May  9 04:12:57 dev-zfs2 scsi: [ID 243001 kern.warning] WARNING: /pci@0,0/pci8086,3410@9/pci15d9,400@0 (mpt_sas0):
May  9 04:12:57 dev-zfs2        mptsas_handle_event_sync: IOCStatus=0x8000, IOCLogInfo=0x31110610

.. do seem to be coming through "whole" (I do note that the priority
is different in both).

Relevant config items are as follows:

log {
    source(remote);
    filter(syslog);
    destination(hosts_syslog);
};

source remote {
    udp();
    tcp();
    # udp(ip(0.0.0.0) port(514));
    # tcp(ip(0.0.0.0) port(514));
};

destination hosts_syslog {
    file("/logs/hosts/$HOST/$YEAR/$MONTH/syslog.$HOST.$YEAR.$MONTH.log"
        create_dirs(yes));
    pipe("/logs/hosts/everything.fifo");
};

filter syslog {
    (not facility(mail)
    and not filter(f_ucgw)
    and not filter(f_esx));
};

Will try and do some packet captures to confirm Solaris is, in fact,
sending the entire message (I believe it is since this worked on
syslog-ng 2.x).

Thanks,
Ray
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq