When logging multiline messages (simple strings with in-line newlines) our logs only show the first line. Everything after the first newline character is gone. We're on 3.0.5 and we don't seem to be using the no_multi_line option anywhere. What else could explain this behavior? Ian
Embedded newlines violate the traditional BSD syslog protocol so syslog-ng treats newlines as terminators so the next line would be in a new logmessage without timestamp, hostname, facility / priority, etc. On Wed, Dec 1, 2010 at 8:54 PM, Ian Lesperance <ianl@ezpublishing.com> wrote:
When logging multiline messages (simple strings with in-line newlines) our logs only show the first line. Everything after the first newline character is gone. We're on 3.0.5 and we don't seem to be using the no_multi_line option anywhere. What else could explain this behavior?
Ian ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
That makes sense, and it'd be great if that's what it did, but it actually seems to just drop the rest of the message entirely. The extra lines don't show up anywhere in the log file, with or without metadata. Based on the search results I found on Google, I thought syslog-ng replaced newlines with spaces just like syslog. So that's no longer the case? I'd ask what version it was changed in, but I'm not seeing either behavior, so I doubt that's the issue. Ian On Wed, Dec 1, 2010 at 12:17 PM, Sandor Geller < Sandor.Geller@morganstanley.com> wrote:
Embedded newlines violate the traditional BSD syslog protocol so syslog-ng treats newlines as terminators so the next line would be in a new logmessage without timestamp, hostname, facility / priority, etc.
On Wed, Dec 1, 2010 at 8:54 PM, Ian Lesperance <ianl@ezpublishing.com> wrote:
When logging multiline messages (simple strings with in-line newlines) our logs only show the first line. Everything after the first newline character is gone. We're on 3.0.5 and we don't seem to be using the no_multi_line option anywhere. What else could explain this behavior?
Ian
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
If your lines are long, you might be running up against the line length limit. You might do something like the following in options: # maximum length of message in bytes # this is only limited by the program listening on the /dev/log Unix # socket, glibc can handle arbitrary length log messages, but -- for # example -- syslogd accepts only 1024 bytes # (default is 2048) log_msg_size(8192); And see if that helps. ________________________________________ From: syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] On Behalf Of Ian Lesperance [ianl@ezpublishing.com] Sent: Wednesday, December 01, 2010 2:28 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Extra Lines Truncated That makes sense, and it'd be great if that's what it did, but it actually seems to just drop the rest of the message entirely. The extra lines don't show up anywhere in the log file, with or without metadata. Based on the search results I found on Google, I thought syslog-ng replaced newlines with spaces just like syslog. So that's no longer the case? I'd ask what version it was changed in, but I'm not seeing either behavior, so I doubt that's the issue. Ian
It happens even with "foo\nbar". "foo" is written but "bar" is nowhere to be found. Not sure if it's relevant, but carriage returns pass through unaltered. Ian On Wed, Dec 1, 2010 at 2:15 PM, Bill Anderson < Bill.Anderson@bodybuilding.com> wrote:
If your lines are long, you might be running up against the line length limit. You might do something like the following in options:
# maximum length of message in bytes # this is only limited by the program listening on the /dev/log Unix # socket, glibc can handle arbitrary length log messages, but -- for # example -- syslogd accepts only 1024 bytes # (default is 2048) log_msg_size(8192);
And see if that helps.
________________________________________ From: syslog-ng-bounces@lists.balabit.hu [ syslog-ng-bounces@lists.balabit.hu] On Behalf Of Ian Lesperance [ ianl@ezpublishing.com] Sent: Wednesday, December 01, 2010 2:28 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Extra Lines Truncated
That makes sense, and it'd be great if that's what it did, but it actually seems to just drop the rest of the message entirely. The extra lines don't show up anywhere in the log file, with or without metadata.
Based on the search results I found on Google, I thought syslog-ng replaced newlines with spaces just like syslog. So that's no longer the case? I'd ask what version it was changed in, but I'm not seeing either behavior, so I doubt that's the issue.
Ian
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
When it see's a new line thats just "bar" it tries to parse it. It'll end up parsing it with 'bar' being the hostname, and will give it a default facility and default priority with a blank message text. Im not sure what the default facility and priority end up being, but unless you have a log rule which matches them and does something with them, they will just get dropped. -Patrick Sent: Wed Dec 01 2010 17:42:46 GMT-0700 (Mountain Standard Time) From: Ian Lesperance <ianl@ezpublishing.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Extra Lines Truncated
It happens even with "foo\nbar". "foo" is written but "bar" is nowhere to be found.
Not sure if it's relevant, but carriage returns pass through unaltered.
Ian
On Wed, Dec 1, 2010 at 2:15 PM, Bill Anderson <Bill.Anderson@bodybuilding.com <mailto:Bill.Anderson@bodybuilding.com>> wrote:
If your lines are long, you might be running up against the line length limit. You might do something like the following in options:
# maximum length of message in bytes # this is only limited by the program listening on the /dev/log Unix # socket, glibc can handle arbitrary length log messages, but -- for # example -- syslogd accepts only 1024 bytes # (default is 2048) log_msg_size(8192);
And see if that helps.
________________________________________ From: syslog-ng-bounces@lists.balabit.hu <mailto:syslog-ng-bounces@lists.balabit.hu> [syslog-ng-bounces@lists.balabit.hu <mailto:syslog-ng-bounces@lists.balabit.hu>] On Behalf Of Ian Lesperance [ianl@ezpublishing.com <mailto:ianl@ezpublishing.com>] Sent: Wednesday, December 01, 2010 2:28 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Extra Lines Truncated
That makes sense, and it'd be great if that's what it did, but it actually seems to just drop the rest of the message entirely. The extra lines don't show up anywhere in the log file, with or without metadata.
Based on the search results I found on Google, I thought syslog-ng replaced newlines with spaces just like syslog. So that's no longer the case? I'd ask what version it was changed in, but I'm not seeing either behavior, so I doubt that's the issue.
Ian
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
participants (4)
-
Bill Anderson
-
Ian Lesperance
-
Patrick H.
-
Sandor Geller