[syslog-ng] Multi-line Logs

[Balazs Scheidler]

On Thu, 2008-07-03 at 11:00 -0400, jrhendri at maine.rr.com wrote:
> Hi,
>   I have been following this thread somewhat. I am facing a similar problem with how to handle logs from OpenVMS OPCOM messages. They are also multi-line.
> 
>   We are having a fowarder written for the VMS side that will send these messages across (still looking at TVP v. UDP and whether or not to place syslog headers in the messages).
> 
>   The goal is to be able to (at minimum) retain them on the NG box (for log retention) and also forward them as-is to a remote system (for processing by a security operations center).
> 
>   Currently, one possibility we are considering is to send the messages as UDP without stripping out the newlines (essentially defining a terminal that will receive the messages, and tying this to an outbound UDP socket pointed at the NG logserver.
> 
>   If you have any thoughts/suggestions, I would appreciate hearing them. If not, I apologize for wasting bandwidth :-)


I'm quite convinced that the way NL stripping is currently done in
syslog-ng is a bad idea.

So I'll definitely come up something to make it possible to retain
newlines in messages.

syslog-ng has an option to turn off message parsing, in which case a UDP
frame (or line when TCP is used) becomes the whole message without date
or host information.

In this case you can have the complete message unaltered with the $MSG
macro, like this:

source s_udp { udp(flags(no-parse)); };

destination d_file { file("/var/log/raw.log" template("$MSG")); };

This essentially reproduces anything that comes in on the UDP socket.
Except the NL stripping I outlined earlier. Once that is gone, your VMS
setup will just work.

-- 
Bazsi