Not sure in this specific case - but I parsed some multi-line logs where the lines were not consecutive (i.e. related parts could come in anywhere in the stream) and I had to resort to a program() to handle them. I wrote something to identify log messages by key "IDs" and store the data in a hash table until all the parts of the message were received (or a timer expired) and then sent them along to the SIEM. Hope that might help. Jim On Fri, Aug 10, 2018 at 10:35 AM, Michael Thénault < michael.thenault@gmail.com> wrote:

Hello,

I have an Issue with syslog-ng 3.16.1 and multi-line logs.

I try to configure per-application filters using either the program name or a facility. The applications use the traditional syslog() from syslog.h. When an application logs multiple lines, only the first line is filtered. Indeed, the program name or facility is only applied to the first line.

Example : $ logger -t testprog "line1 line2 line3"

$ cat /var/log/messages 2018-08-10T16:26:14.000000+02:00 testprog: line1 2018-08-10T16:26:14.899505+02:00 line2 2018-08-10T16:26:14.899505+02:00 line3

The log source is unix-stream("/dev/log" );

What can I do to fix this ?

Thanks in advance for your help.

Thanks & Regards, Michael ____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq