[syslog-ng] is there support for multi-line messages in a syslog-ng OSE release?

Balazs Scheidler bazsi at balabit.hu
Wed Sep 21 11:01:12 CEST 2011 

On Wed, 2011-09-14 at 17:48 -0700, Lance Laursen wrote:
> On Thu, Sep 1, 2011 at 2:57 PM, <mike at lague.org> wrote:
>         I'm  using syslog-ng 3.0.5 (OSE). 
>         
>         I've noticed that if a multi-line message is sent by an
>         application to  syslog-ng  via a unix-stream source, the first
>         line is logged to the right destination, and the next line
>         goes to a default destination. E.g., if a message like 
>         "Test message line 1\nTest message line 2\n" 
>         is sent,
>         "Test message line 1"
>         appears in the expected destination file, while
>         "Error processing log message: Test message line 2"
>         appears in the default destination.
>         
>         This limitation (which does not exist with unix-dgram sources)
>         seems to have been reported a number of times on various
>         lists.

The root cause for this is that the record separator is the newline
character, so the lines are different syslog records.

And the 2nd line is lacking a proper syslog header, so syslog-ng
prepends one there.

>         
>         The feature comparison table at
>         http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/features/comparison
>         indicates that there is no support for multi-line messages in
>         OSE 3.2, but there is such support in PE 4.0

That's right. In the last couple of days I was working with the PE team
in-house on reviewing the patches the PE team did, among others the
multi-line feature, but it is not yet integrated to the OSE tree.

Our work-in-progress tree is published in

git://git.balabit.hu/bazsi/syslog-ng-3.3.git

"pe-rebase" branch.

I hope to integrate most of it to the OSE tree.

>         
>         Yet I thought a saw a message which indicated that there might
>         be support for multi-line messages in an OSE release? Can
>         someone confirm this? 

Not in an official OSE release. The code is available in the git repo
quoted above though.

>         Also, is there any way around this limitation in earlier OSE
>         releases?

the use of unix-dgram() should help in your specific situation. 

-- 
Bazsi

More information about the syslog-ng mailing list