On Thu, 2008-07-03 at 11:00 -0400, jrhendri@maine.rr.com wrote:

Hi, I have been following this thread somewhat. I am facing a similar problem with how to handle logs from OpenVMS OPCOM messages. They are also multi-line.

We are having a fowarder written for the VMS side that will send these messages across (still looking at TVP v. UDP and whether or not to place syslog headers in the messages).

The goal is to be able to (at minimum) retain them on the NG box (for log retention) and also forward them as-is to a remote system (for processing by a security operations center).

Currently, one possibility we are considering is to send the messages as UDP without stripping out the newlines (essentially defining a terminal that will receive the messages, and tying this to an outbound UDP socket pointed at the NG logserver.

If you have any thoughts/suggestions, I would appreciate hearing them. If not, I apologize for wasting bandwidth :-)

I'm quite convinced that the way NL stripping is currently done in syslog-ng is a bad idea. So I'll definitely come up something to make it possible to retain newlines in messages. syslog-ng has an option to turn off message parsing, in which case a UDP frame (or line when TCP is used) becomes the whole message without date or host information. In this case you can have the complete message unaltered with the $MSG macro, like this: source s_udp { udp(flags(no-parse)); }; destination d_file { file("/var/log/raw.log" template("$MSG")); }; This essentially reproduces anything that comes in on the UDP socket. Except the NL stripping I outlined earlier. Once that is gone, your VMS setup will just work. -- Bazsi