is there support for multi-line messages in a syslog-ng OSE release?
I'm using syslog-ng 3.0.5 (OSE). I've noticed that if a multi-line message is sent by an application to syslog-ng via a unix-stream source, the first line is logged to the right destination, and the next line goes to a default destination. E.g., if a message like "Test message line 1\nTest message line 2\n" is sent, "Test message line 1" appears in the expected destination file, while "Error processing log message: Test message line 2" appears in the default destination. This limitation (which does not exist with unix-dgram sources) seems to have been reported a number of times on various lists. The feature comparison table at http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/... indicates that there is no support for multi-line messages in OSE 3.2, but there is such support in PE 4.0 Yet I thought a saw a message which indicated that there might be support for multi-line messages in an OSE release? Can someone confirm this? Also, is there any way around this limitation in earlier OSE releases? Thank you, --Mike
On Thu, 2011-09-01 at 17:57 -0400, mike@lague.org wrote:
I'm using syslog-ng 3.0.5 (OSE).
I've noticed that if a multi-line message is sent by an application to syslog-ng via a unix-stream source, the first line is logged to the right destination, and the next line goes to a default destination. E.g., if a message like "Test message line 1\nTest message line 2\n" is sent, "Test message line 1" appears in the expected destination file, while "Error processing log message: Test message line 2" appears in the default destination.
This limitation (which does not exist with unix-dgram sources) seems to have been reported a number of times on various lists.
The feature comparison table at http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/... indicates that there is no support for multi-line messages in OSE 3.2, but there is such support in PE 4.0
Yet I thought a saw a message which indicated that there might be support for multi-line messages in an OSE release? Can someone confirm this? Also, is there any way around this limitation in earlier OSE releases?
Hi, The code by the PE team is available on git.balabit.hu, but I still had no time to integrate all changes. This is one of those bits, which is not yet in OSE, even though the code is available. The issue is that the patches in the PE tree are quite interleaved and picking out features is quite difficult. Also, I wouldn't want to merge the tree as a whole, since I'd be the one to support that version, and when I'm not 100% sure that I understand how things work, I don't integrate. But anyway, this is something that is important to do, and I'd like to do that, but as always it happens as time permits. You, or anyone else can help me in this regard: creating a concise patch series that contains a single functionality alone. Then, quite probably some review cycles are going to be needed, in cases when something is implemented in a way that is not fit for the OSE purposes. I do know about a couple of things that are so PE specific that I wouldn't want to put it in the OSE tree, those bits will have to be maintained by the PE crew. Such an example is the code supporting the license validation, which certainly doesn't make sense in the OSE context. So with coding skills, anyone can contribute by helping me to integrate that stuff. PS: and this is now possible, because of the latest change in licensing and because of the fact that the PE crew actually publishes the git tree that they integrate into the PE product. -- Bazsi
On Thu, Sep 1, 2011 at 2:57 PM, <mike@lague.org> wrote:
I'm using syslog-ng 3.0.5 (OSE).
I've noticed that if a multi-line message is sent by an application to syslog-ng via a unix-stream source, the first line is logged to the right destination, and the next line goes to a default destination. E.g., if a message like "Test message line 1\nTest message line 2\n" is sent, "Test message line 1" appears in the expected destination file, while "Error processing log message: Test message line 2" appears in the default destination.
This limitation (which does not exist with unix-dgram sources) seems to have been reported a number of times on various lists.
The feature comparison table at
http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/... indicates that there is no support for multi-line messages in OSE 3.2, but there is such support in PE 4.0
Yet I thought a saw a message which indicated that there might be support for multi-line messages in an OSE release? Can someone confirm this? Also, is there any way around this limitation in earlier OSE releases?
Thank you, --Mike
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hey, /dev/log is an AF_UNIX socket, so you can use unix-dgram in place of unix-stream with no problems (I have in the past for this exact problem). Also, using a UDP (and I imagine TCP) source will preserve newlines. Regards,
On Wed, 2011-09-14 at 17:48 -0700, Lance Laursen wrote:
On Thu, Sep 1, 2011 at 2:57 PM, <mike@lague.org> wrote: I'm using syslog-ng 3.0.5 (OSE).
I've noticed that if a multi-line message is sent by an application to syslog-ng via a unix-stream source, the first line is logged to the right destination, and the next line goes to a default destination. E.g., if a message like "Test message line 1\nTest message line 2\n" is sent, "Test message line 1" appears in the expected destination file, while "Error processing log message: Test message line 2" appears in the default destination.
This limitation (which does not exist with unix-dgram sources) seems to have been reported a number of times on various lists.
The root cause for this is that the record separator is the newline character, so the lines are different syslog records. And the 2nd line is lacking a proper syslog header, so syslog-ng prepends one there.
The feature comparison table at http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/... indicates that there is no support for multi-line messages in OSE 3.2, but there is such support in PE 4.0
That's right. In the last couple of days I was working with the PE team in-house on reviewing the patches the PE team did, among others the multi-line feature, but it is not yet integrated to the OSE tree. Our work-in-progress tree is published in git://git.balabit.hu/bazsi/syslog-ng-3.3.git "pe-rebase" branch. I hope to integrate most of it to the OSE tree.
Yet I thought a saw a message which indicated that there might be support for multi-line messages in an OSE release? Can someone confirm this?
Not in an official OSE release. The code is available in the git repo quoted above though.
Also, is there any way around this limitation in earlier OSE releases?
the use of unix-dgram() should help in your specific situation. -- Bazsi
participants (3)
-
Balazs Scheidler
-
Lance Laursen
-
mike@lague.org