[syslog-ng]messages with newlines

[Dmitry Frolov]

Hello!

I encountered some problems with syslog-ng 1.5.25, while trying to
separate logs by program name.
Our developers often use multiline log messages, stack traces for example.
The problem is that when multiline message received via network (udp) it is logged
as several lines, and only first line has program name in it.
So, when i configure 'program' filter, it only catches first line.


Example:

We are logging this message and it is sent to loghost (in one udp packet, tested with snoop).

<30>Jan 31 13:51:30 Yadda yadda[17245]: Time to die.
die now!

Loghost writes it in this way:

Jan 31 13:42:29 host yadda[17231]: Time to die.
Jan 31 13:42:29 host die now!

The second line "die now!" will not match 'program' filter.

I suppose it would be correct to replace all '\n', '\r', etc in log messages
and log them as single line as common syslogd does in any case and as syslog-ng
does when source is unix domain socket.


Another problem is that first word of program name disappears.
if program name is missing, the first word of log msg disappears instead.



Here's script to send log message used in my example.

#!/usr/bin/perl -w
use strict;
use Sys::Syslog;                          # all except setlogsock, or:
use Sys::Syslog qw(:DEFAULT setlogsock);  # default set, plus setlogsock

my $ident = 'Yadda yadda';
my $logopt = 'pid,ndelay';
my $facility = 'daemon';
my $priority = 'info';
my $format = "Time to die.\ndie now!";
my @args;

setlogsock 'unix';
openlog $ident, $logopt, $facility;
syslog $priority, $format, @args;
closelog;




-- 
Dmitry Frolov, Zenon N.S.P. (095) 250-4629, http://www.zenon.net/