[syslog-ng] Multiple syslog messages in one tcp packet

Matthew Hall mhall at mhcomputing.net
Mon Oct 11 23:57:09 CEST 2010 

Hello Steve,

The client should be sending Line Feed '\n' or ^J not Carriage Return '\r' or ^M.

That's what the TCP Syslog RFC requires.

So if you can get that problem fixed it might start working.

You might want to look through the packet dumps to verify if the upstream is sending '\n' or '\r' or '\r\n'.

Regards,
Matthew Hall.

On Mon, Oct 11, 2010 at 05:48:53PM -0400, Lee, Steve wrote:
> I’ve got a Windows syslog client (from Q1 Labs) that wants to send multiple syslog messages within a single tcp packet to syslog-ng. The messages file on the syslog-ng side looks like this (Note the “^M<13>” separating the individual messages):
> 
> [user] [notice] Oct 11 16:25:05 10.40.3.16 10.40.3.16 ation_logfile.txt Payload=server.Emory.Edu, The Operations Manager agent processes are using too much processor time SEVERITY:2 STATE: New; Custom Oct 11 15:15:58^M<13>Oct 11 15:17:58 server2.emory.edu AgentDevice=FileForwarder        AgentLogFile=logfile.txt    Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: New; StateCollection Oct 11 15:17:58^M<13>Oct 11 15:19:58 server2.emory.edu AgentDevice=FileForwarder        AgentLogFile= logfile.txt    Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: Closed; StateCollection Oct 11 15:19:58^M
> 
> Is it possible to configure syslog-ng to separate the messages out into individual ones like these?
> 
> [user] [notice] Oct 11 16:25:05 10.40.3.16 10.40.3.16 ation_logfile.txt Payload=server.Emory.Edu, The Operations Manager agent processes are using too much processor time SEVERITY:2 STATE: New; Custom Oct 11 15:15:58
> [user] [notice] Oct 11 15:17:58 server2.emory.edu AgentDevice=FileForwarder        AgentLogFile=logfile.txt    Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: New; StateCollection Oct 11 15:17:58
> [user] [notice] Oct 11 15:19:58 server2.emory.edu AgentDevice=FileForwarder        AgentLogFile= logfile.txt    Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: Closed; StateCollection Oct 11 15:19:58
> 
> I am using the syslog-ng ose client version 3.0.3.
> 
> Thanks.
> 
> Steve
> 
> -------------
> Steve Lee
> Technical Operations Center
> University Technology Services
> Emory University
> -------------
> 
> 
> This e-mail message (including any attachments) is for the sole use of
> the intended recipient(s) and may contain confidential and privileged
> information.  If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution
> or copying of this message (including any attachments) is strictly
> prohibited.
> 
> If you have received this message in error, please contact
> the sender by reply e-mail message and destroy all copies of the
> original message (including attachments).
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>

More information about the syslog-ng mailing list