[syslog-ng] Multiple syslog messages in one tcp packet

Patrick H. syslogng at feystorm.net
Tue Oct 12 00:53:50 CEST 2010


rewrite r_fixmsg { subst("\r","\n",value("MESSAGE") type("string") 
flags("global")); };

I dont know if syslog-ng will translate the \r or not. If not try 
inserting a raw \r char in there (this is all assuming ^M really is \r).

-Patrick

Sent: Mon Oct 11 2010 16:32:22 GMT-0600 (Mountain Daylight Time)
From: Matthew Hall <mhall at mhcomputing.net>
To: Syslog-ng users' and developers' mailing list 
<syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Multiple syslog messages in one tcp packet
> How do you create a filter for ^M and other control characters?
>
> Matthew.
>
> On Mon, Oct 11, 2010 at 04:27:59PM -0600, Patrick H. wrote:
>   
>> What you might try is to create a filter that takes all incoming
>> data on the tcp socket, replaces ^M with \n, and then pipes it back
>> into another source driver (socket, pipe, whatever) for syslog-ng to
>> process again, but without the filter expression (^M is probably \r
>> as thats what most editors will display \r as).
>> I'm not sure if that'll work, but I think it should.
>>
>> -Patrick
>>
>> Sent: Mon Oct 11 2010 15:48:53 GMT-0600 (Mountain Daylight Time)
>> From: Lee, Steve <steve.lee at emory.edu>
>> To: Syslog-ng users' and developers' mailing list
>> <syslog-ng at lists.balabit.hu>
>> Subject: Re: [syslog-ng] Multiple syslog messages in one tcp packet
>>     
>>> I’ve got a Windows syslog client (from Q1 Labs) that wants to send multiple syslog messages within a single tcp packet to syslog-ng. The messages file on the syslog-ng side looks like this (Note the “^M<13>” separating the individual messages):
>>>
>>> [user] [notice] Oct 11 16:25:05 10.40.3.16 10.40.3.16 ation_logfile.txt Payload=server.Emory.Edu, The Operations Manager agent processes are using too much processor time SEVERITY:2 STATE: New; Custom Oct 11 15:15:58^M<13>Oct 11 15:17:58 server2.emory.edu AgentDevice=FileForwarder        AgentLogFile=logfile.txt    Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: New; StateCollection Oct 11 15:17:58^M<13>Oct 11 15:19:58 server2.emory.edu AgentDevice=FileForwarder        AgentLogFile= logfile.txt    Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: Closed; StateCollection Oct 11 15:19:58^M
>>>
>>> Is it possible to configure syslog-ng to separate the messages out into individual ones like these?
>>>
>>> [user] [notice] Oct 11 16:25:05 10.40.3.16 10.40.3.16 ation_logfile.txt Payload=server.Emory.Edu, The Operations Manager agent processes are using too much processor time SEVERITY:2 STATE: New; Custom Oct 11 15:15:58
>>> [user] [notice] Oct 11 15:17:58 server2.emory.edu AgentDevice=FileForwarder        AgentLogFile=logfile.txt    Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: New; StateCollection Oct 11 15:17:58
>>> [user] [notice] Oct 11 15:19:58 server2.emory.edu AgentDevice=FileForwarder        AgentLogFile= logfile.txt    Payload=Microsoft.SystemCenter.AgentWatchersGroup, Health Service Heartbeat Failure SEVERITY:2 STATE: Closed; StateCollection Oct 11 15:19:58
>>>
>>> I am using the syslog-ng ose client version 3.0.3.
>>>
>>> Thanks.
>>>
>>> Steve
>>>
>>> -------------
>>> Steve Lee
>>> Technical Operations Center
>>> University Technology Services
>>> Emory University
>>> -------------
>>>
>>>
>>> This e-mail message (including any attachments) is for the sole use of
>>> the intended recipient(s) and may contain confidential and privileged
>>> information.  If the reader of this message is not the intended
>>> recipient, you are hereby notified that any dissemination, distribution
>>> or copying of this message (including any attachments) is strictly
>>> prohibited.
>>>
>>> If you have received this message in error, please contact
>>> the sender by reply e-mail message and destroy all copies of the
>>> original message (including attachments).
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>
>>>       
>
>   
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>     
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20101011/b69de888/attachment-0001.htm 


More information about the syslog-ng mailing list