Hello community, I have the following diagram between some PE and Syslog-ng: Cisco devices -> Syslog-ng (running on Solaris) Syslog-ng version: o NTPSYSLOG# syslog-ng -V o syslog-ng 3.0.4 o Revision: ssh+git://bazsi@git.balabit //var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#1b5d618e301ad94aa20e692ffba16469dece8d10 o Compile-Date: Sep 2 2009 06:15:53 o Enable-Threads: off o Enable-Debug: off o Enable-GProf: off o Enable-Memtrace: off o Enable-Sun-STREAMS: on o Enable-Sun-Door: on o Enable-IPv6: on o Enable-Spoof-Source: on o Enable-TCP-Wrapper: off o Enable-SSL: on o Enable-SQL: off o Enable-Linux-Caps: off o Enable-Pcre: on One of the cisco devices sends a particular log line that is splited in two lines (there is a line-break in between): *Mar 13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1)* * received in update for prefix XXXX:XXXX:XXX.XXX.XXX.X/XXX from X.X.X.X* When the log reaches the Syslog-ng on Solaris server, it is logged like this: *Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1)* *Mar 13 10:33:14 PE06PVAL01 1182435: received in update for prefix XXXX:XXXX:XXX.XXX.XXX.X/XXX from X.X.X.X* The log is transfered by UDP from the cisco device to the Solaris server (where the syslog-ng runs). This is the configuration used in syslog-ng: *ntpsyslog> more /etc/syslog-ng/syslog-ng.conf* *@version: 3.0* *#* *# syslog-ng configuration file.* *#* *# See syslog-ng(8) and syslog-ng.conf(5) for more information.* *#* *options {* * stats_freq (0);* * flush_lines (0);* * time_reopen (10);* * log_fifo_size (1000);* * long_hostnames(off);* * use_dns (yes);* * use_fqdn (no);* * create_dirs (no);* * keep_hostname (yes);* * perm(0640);* *};* *source s_sys { sun-streams ("/dev/log" door("/etc/.syslog_door")); internal(); udp(flags("no-multi-line")); };* *destination d_cons { file("/dev/console"); };* *destination d_mesg { file("/var/adm/messages"); };* *destination d_mail { file("/var/log/syslog"); };* *destination d_auth { file("/var/log/authlog"); };* *destination d_mlop { usertty("operator"); };* *destination d_mlrt { usertty("root"); };* *destination d_mlal { usertty("*"); };* *destination cisco { file("/respaldo/syslog/cisco/cisco.log"); };* *#----------------------------------------------------------------------* *# Forward to a nisip server* *#* *destination cnc-cisco { udp("X.X.X.X" port(X)); };* *#----------------------------------------------------------------------* *filter f_filter1 { level(err) or* * (level(notice) and facility (auth, kern)); };* *filter f_filter2 { level(err) or* * (facility(kern) and level(notice)) or* * (facility(daemon) and level(notice)) or* * (facility(mail) and level(crit)); };* *filter f_filter3 { level(alert) or* * (facility(kern) and level(err)) or* * (facility(daemon) and level(err)); };* *filter f_filter4 { level(alert); };* *filter f_filter5 { level(emerg); };* *filter f_filter6 { facility(kern) and level(notice); };* *filter f_filter7 { facility(mail) and level(debug); };* *#filter f_filter10 { level(alert); };* *filter f_filter9 { facility(user) and level(alert); };* *filter f_cisco { facility(local2); };* *# Alternativa* *log { source(s_sys_cisco); filter(f_cisco); destination(cisco); };* *# Alternativa* *source s_juniper { file("/respaldo/syslog/juniper/juniper.log"); };* *destination d_juniper_tcp { tcp("X.X.X.X" port(X)); };* *filter f_juniper_tcp {not match("TOPO|/kernel:|snmpd|trace_*|PING_*|BGP_*|bgp_*|repeated|task|task_connect|EVENT|received iff message|rshd|cron" value("MESSAGE* *")); };* *log { source(s_juniper); filter(f_juniper_tcp); destination(d_juniper_tcp); };* *source s_cisco { file("/respaldo/syslog/cisco/cisco.log"); };* *destination d_cisco_tcp { tcp("X.X.X.X" port(X)); };* *log { source(s_cisco); destination(d_cisco_tcp); };* *##################################* *# FWD from Syslog to CNC Cisco* *##################################* *source s_cisco { file("/respaldo/syslog/cisco/cisco.log"); };* *log {source(s_cisco); destination(cnc-cisco); };* *ntpsyslog>* I have tried different configurations in order to make the "no-multi-line" flag work. However, none of them have worked: destination cisco { file("/respaldo/syslog/cisco/cisco.log" flags(no-multi-line)); }; source s_sys { sun-streams ("/dev/log" door("/etc/.syslog_door")); internal(); udp(flags("no-multi-line")); }; If more information is required, please do not hesitate to ask for it. Thank you beforehand for your help. Alan Sam