[syslog-ng] [Bug 215] syslog-ng v3 - tcp() does not support no-multi-line as docs reference.

bugzilla at bugzilla.balabit.com bugzilla at bugzilla.balabit.com
Thu Jan 3 16:58:16 CET 2013 

https://bugzilla.balabit.com/show_bug.cgi?id=215


Gergely Nagy <algernon at balabit.hu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |algernon at balabit.hu
         AssignedTo|bazsi at balabit.hu            |algernon at balabit.hu




--- Comment #3 from Gergely Nagy <algernon at balabit.hu>  2013-01-03 16:58:15 ---
(In reply to comment #2)
> > What do you want to accomplish exactly?
> 
> I was hoping to accept windows logs from a snare universal forwarder from multiple devices. It sends multi-line windows logs but can only do it over TCP that
> is not rfc5424 as far as I can tell and I wanted these messages to be reduced to one line.

This will be possible once the multiline work is merged, which will happen early in the 3.5 development cycle.

[...]

> This is what I was really needing. The terminator in my case would need to be \n\n since this is the true EOM with these logs and syslog-ng could then
> determine the end of a message in the logs.
> As it stands, it looks like to get this working on the syslog-ng side I would need to use program(), find true EOM (\n\n), strip the single \n and then return
> the message as I want it.

Yep, this is the most straightforward workaround right now.

> > Algernon has already experimented with support for multiple lines over stream 
> > like transport, but it's not yet integrated. It used MIME-style line continuations, 
> > e.g. the first character of subsequent must be white space. It's used on the 
> > modern /dev/kmsg interface of the linux kernel, but it'll probably work for tcp too.
> 
> Ah, that sounds pretty fantastic.

My multiline work supports mime-style line continuations already (but that won't help with windows logs), and work is in progress to extend it further, so it
supports windows logs and custom EOM marks too.

So early 3.5 will have everything in place that you need. If I could be so bold, I'd like to ask you to test 3.5, once these features are in, so that we can
make multiline support cover as many use cases as possible.


-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the syslog-ng mailing list