You hit it I think. The first thing is to capture packets on at least one end to isolate where this is happening.  Jim Sent from my Verizon Wireless 4G LTE smartphone -------- Original message -------- From: Ray Van Dolson <rvandolson@esri.com> Date: 05/11/2015 11:42 PM (GMT-05:00) To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] 3.2.5 and Multiline(?) messages from Solaris Admittedly haven't done enough searching or testing on this, but am hoping someone might have a quick answer. Recently moved from the 2.x verions to 3.2.5 (as part of EPEL on RHEL6).  Have noticed that we're no longer getting the full messages from some Solaris boxen using the tcp() and udp() source definitions. Messages like this: May 10 02:29:30 dev-zfs2 scsi: [ID 365881 kern.info] /pci@0,0/pci8086,3410@9/pci15d9,400@0 (mpt_sas0): May 10 02:29:30 dev-zfs2        Log info 0x31080000 received for target 24. May 10 02:29:30 dev-zfs2        scsi_status=0x0, ioc_status=0x804b, scsi_state=0x0 Come through looking like this: May 10 02:29:30 dev-zfs2 scsi: [ID 365881 kern.info] /pci@0,0/pci8086,3410@9/pci15d9,400@0 (mpt_sas0): (Only the initial line) However, messages like this one: May  9 04:12:57 dev-zfs2 scsi: [ID 243001 kern.warning] WARNING: /pci@0,0/pci8086,3410@9/pci15d9,400@0 (mpt_sas0): May  9 04:12:57 dev-zfs2        mptsas_handle_event_sync: IOCStatus=0x8000, IOCLogInfo=0x31110610 .. do seem to be coming through "whole" (I do note that the priority is different in both). Relevant config items are as follows: log {     source(remote);     filter(syslog);     destination(hosts_syslog); }; source remote {     udp();     tcp();     # udp(ip(0.0.0.0) port(514));     # tcp(ip(0.0.0.0) port(514)); }; destination hosts_syslog {     file("/logs/hosts/$HOST/$YEAR/$MONTH/syslog.$HOST.$YEAR.$MONTH.log"         create_dirs(yes));     pipe("/logs/hosts/everything.fifo"); }; filter syslog {     (not facility(mail)     and not filter(f_ucgw)     and not filter(f_esx)); }; Will try and do some packet captures to confirm Solaris is, in fact, sending the entire message (I believe it is since this worked on syslog-ng 2.x). Thanks, Ray ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq