When it see's a new line thats just "bar" it tries to parse it. It'll end up parsing it with 'bar' being the hostname, and will give it a default facility and default priority with a blank message text. Im not sure what the default facility and priority end up being, but unless you have a log rule which matches them and does something with them, they will just get dropped. -Patrick Sent: Wed Dec 01 2010 17:42:46 GMT-0700 (Mountain Standard Time) From: Ian Lesperance <ianl@ezpublishing.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Extra Lines Truncated
It happens even with "foo\nbar". "foo" is written but "bar" is nowhere to be found.
Not sure if it's relevant, but carriage returns pass through unaltered.
Ian
On Wed, Dec 1, 2010 at 2:15 PM, Bill Anderson <Bill.Anderson@bodybuilding.com <mailto:Bill.Anderson@bodybuilding.com>> wrote:
If your lines are long, you might be running up against the line length limit. You might do something like the following in options:
# maximum length of message in bytes # this is only limited by the program listening on the /dev/log Unix # socket, glibc can handle arbitrary length log messages, but -- for # example -- syslogd accepts only 1024 bytes # (default is 2048) log_msg_size(8192);
And see if that helps.
________________________________________ From: syslog-ng-bounces@lists.balabit.hu <mailto:syslog-ng-bounces@lists.balabit.hu> [syslog-ng-bounces@lists.balabit.hu <mailto:syslog-ng-bounces@lists.balabit.hu>] On Behalf Of Ian Lesperance [ianl@ezpublishing.com <mailto:ianl@ezpublishing.com>] Sent: Wednesday, December 01, 2010 2:28 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Extra Lines Truncated
That makes sense, and it'd be great if that's what it did, but it actually seems to just drop the rest of the message entirely. The extra lines don't show up anywhere in the log file, with or without metadata.
Based on the search results I found on Google, I thought syslog-ng replaced newlines with spaces just like syslog. So that's no longer the case? I'd ask what version it was changed in, but I'm not seeing either behavior, so I doubt that's the issue.
Ian
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html