[syslog-ng] Multiple syslog messages in one tcp packet

Tue Oct 12 00:32:22 CEST 2010

How do you create a filter for ^M and other control characters?

Matthew.

On Mon, Oct 11, 2010 at 04:27:59PM -0600, Patrick H. wrote:
> What you might try is to create a filter that takes all incoming
> data on the tcp socket, replaces ^M with \n, and then pipes it back
> into another source driver (socket, pipe, whatever) for syslog-ng to
> process again, but without the filter expression (^M is probably \r
> as thats what most editors will display \r as).
> I'm not sure if that'll work, but I think it should.
> 
> -Patrick
> 
> Sent: Mon Oct 11 2010 15:48:53 GMT-0600 (Mountain Daylight Time)
> From: Lee, Steve <steve.lee at emory.edu>
> To: Syslog-ng users' and developers' mailing list
> <syslog-ng at lists.balabit.hu>
> Subject: Re: [syslog-ng] Multiple syslog messages in one tcp packet
> >I’ve got a Windows syslog client (from Q1 Labs) that wants to send multiple syslog messages within a single tcp packet to syslog-ng. The messages file on the syslog-ng side looks like this (Note the “^M<13>” separating the individual messages):
> >
> >[user] [notice] Oct 11 16:25:05 10.40.3.16 10.40.3.16 ation_logfile.txt Payload=server.Emory.Edu, The Operations Manager agent processes are using too much processor time SEVERITY:2 STATE: New; Custom Oct 11 15:15:58^M<13>Oct 11 15:17:58 server2.emory.edu AgentDevice=FileForwarder        AgentLogFile=logfile.txt    Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: New; StateCollection Oct 11 15:17:58^M<13>Oct 11 15:19:58 server2.emory.edu AgentDevice=FileForwarder        AgentLogFile= logfile.txt    Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: Closed; StateCollection Oct 11 15:19:58^M
> >
> >Is it possible to configure syslog-ng to separate the messages out into individual ones like these?
> >
> >[user] [notice] Oct 11 16:25:05 10.40.3.16 10.40.3.16 ation_logfile.txt Payload=server.Emory.Edu, The Operations Manager agent processes are using too much processor time SEVERITY:2 STATE: New; Custom Oct 11 15:15:58
> >[user] [notice] Oct 11 15:17:58 server2.emory.edu AgentDevice=FileForwarder        AgentLogFile=logfile.txt    Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: New; StateCollection Oct 11 15:17:58
> >[user] [notice] Oct 11 15:19:58 server2.emory.edu AgentDevice=FileForwarder        AgentLogFile= logfile.txt    Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: Closed; StateCollection Oct 11 15:19:58
> >
> >I am using the syslog-ng ose client version 3.0.3.
> >
> >Thanks.
> >
> >Steve
> >
> >-------------
> >Steve Lee
> >Technical Operations Center
> >University Technology Services
> >Emory University
> >-------------
> >
> >
> >This e-mail message (including any attachments) is for the sole use of
> >the intended recipient(s) and may contain confidential and privileged
> >information.  If the reader of this message is not the intended
> >recipient, you are hereby notified that any dissemination, distribution
> >or copying of this message (including any attachments) is strictly
> >prohibited.
> >
> >If you have received this message in error, please contact
> >the sender by reply e-mail message and destroy all copies of the
> >original message (including attachments).
> >______________________________________________________________________________
> >Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> >FAQ: http://www.campin.net/syslog-ng/faq.html
> >

> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 