[syslog-ng] no_multi_line - have cake, eat too
Balazs Scheidler
bazsi at balabit.hu
Sun Mar 22 13:28:34 CET 2009
On Wed, 2009-03-18 at 11:19 -0700, Ross Andrus wrote:
> Hi,
>
> Thanks for the great tool!
>
> I really enjoy the power and flexibility of syslog-ng, and I wanted to
> send along a local modification I've made to the 3.0.1 release.
>
> My situation is that I'd like to have *both* the traditional behavior
> in which newlines are replaced with spaces, and also the new
> no_multi_line feature. Basically, developers want to see the stack
> traces, operations wants simple scanning and analysis.
>
> So, I created a new template macro named "ONELINE" that is a variant
> of the MSGONLY macro, but it makes a local copy of the buffer and
> performs the newline replacement on it, then sends it off.
>
> I didn't put any time into thinking about performance, so I won't be
> surprised to here there's a better way or etc, but it works well
> enough so far.
the 3.0 release offers the no-multi-line flag both for sources AND for
destinations, so you can specify:
destination d_file { file("/var/log/messages" flags(no-multi-line)); };
And this will remove any NL characters possibly still in the message. Of
course if you use no-multi-line on the input side, there'll be no NLs by
the time the message gets here, but otherwise you can specify
no-multi-line flag for destinations where you want one line per entry
and omit this flag where you want multi-line messages.
--
Bazsi
More information about the syslog-ng
mailing list