[syslog-ng] syslog-ng Digest, Vol 99, Issue 9
Yarick Tsagoyko
yarick at yarick.com
Thu Jul 11 18:05:49 CEST 2013
Dear Satish, multiline is supported in open source version of syslog-ng, as
bazsi wrote.
To glue the lines together, into one line you can do one of two things.
First, configure syslog-ng not to break messages into separate lines, by
disabling native multiline support. Second, define a pattern that
identifies the beginning of a new line.
I encourage you to read the manual prior to engaging entire list to solve
your issue, which is clearly not an issue with the way code is written.
Thanks.
Y.
This is my source declaration and i have put flags which you have
mentioned.
source s_tomcat {
syslog( transport("udp") flags(indent-multi-line));
};
I got following error when i am trying to put flags
Error parsing afsocket, Unknown flag indent-multi-line in
/usr/local/syslog-ng-3.4.2/etc/syslog-ng.conf at line 54, column 33:
syslog( transport("udp") flags(indent-multi-line) );
On Thu, Jul 11, 2013 at 10:22 AM, <syslog-ng-request at lists.balabit.hu>wrote:
> Send syslog-ng mailing list submissions to
> syslog-ng at lists.balabit.hu
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> or, via email, send a message with subject or body 'help' to
> syslog-ng-request at lists.balabit.hu
>
> You can reach the person managing the list at
> syslog-ng-owner at lists.balabit.hu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of syslog-ng digest..."
>
>
> Today's Topics:
>
> 1. Re: Multi-line support issue (Balazs Scheidler)
> 2. Re: Multi-line support issue (Satish Patel)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 11 Jul 2013 13:53:56 +0200
> From: Balazs Scheidler <bazsi at balabit.hu>
> Subject: Re: [syslog-ng] Multi-line support issue
> To: Syslog-ng users' and developers' mailing list
> <syslog-ng at lists.balabit.hu>
> Message-ID: <1373543636.3171.17.camel at bzorp>
> Content-Type: text/plain; charset="UTF-8"
>
>
> I can't see the source declaration, it must be something along the lines
> of:
>
> source s_tomcat {
> file("/var/log/tomcat/xxx.log" flags(indent-multi-line));
> };
>
> On Wed, 2013-07-10 at 12:54 -0400, Satish Patel wrote:
> > Hi Balazs,
> >
> >
> > what is your thought about my config? did you see?
> >
> >
> >
> > On Mon, Jul 8, 2013 at 12:30 PM, Satish Patel <satish.txt at gmail.com>
> > wrote:
> > This is what i have configured and no luck with it.. can you
> > suggest what i am missing?
> >
> > destination d02_tc74_log
> > { file("/logs/server1/tomcat7.4/catalina_$YEAR$MONTH$DAY.log"
> > template("$(indent-multi-line ${MESSAGE})\n")
> > template(t_tomcatlog) owner("root") group("root") perm(0644)
> > dir_perm(0755) create_dirs(yes)); };
> > filter server1 { host("server1.example.com") };
> > log {
> > source (s_tomcat);
> > filter (server1);
> > filter (tomcat7_4);
> > destination (d02_tc74_log);
> > };
> >
> >
> >
> >
> > On Mon, Jul 8, 2013 at 12:08 PM, Satish Patel
> > <satish.txt at gmail.com> wrote:
> > How do i use indented-multi-line ? I meant where do i
> > configure it? I tried but my syslog-ng doesn't
> > recognizing this option i have syslog-ng 3.3.7 could
> > you give me example where and how do i check whether
> > it is supported or not
> >
> >
> >
> > On Sat, Jul 6, 2013 at 2:12 AM, Balazs Scheidler
> > <bazsi77 at gmail.com> wrote:
> > This looks.like the format that should be
> > supported by indented-multi-line
> >
> > On Jul 5, 2013 9:33 PM, "Satish Patel"
> > <satish.txt at gmail.com> wrote:
> > Here is my tomcat catalina.out log
> > file sample. See there is a tab space
> > in logs
> >
> > 2013-06-27 05:30:00,065
> > [EDISN-Scheduler_Worker-2] ERROR
> > com.example.edisn.sftp.SftpSession -
> > Exception attempting to work with an
> > SFTP Session: connection is closed by
> > foreign host
> > 2013-06-27 05:30:00,066
> > [EDISN-Scheduler_Worker-2] ERROR
> > org.quartz.core.JobRunShell - Job
> > EDISN.CTMS_Upload threw an unhandled
> > Exception:
> > com.example.edisn.EdisnRuntimeException:
> Exception attempting to work with an SFTP Session: connection is closed by
> foreign host
> > at
> >
> com.example.edisn.sftp.SftpSession.doSession(SftpSession.java:64)
> > at
> >
> com.example.edisn.EdisnSession.exec(EdisnSession.java:13)
> > at
> >
> com.example.ctms.CtmsScheduledJob.executeInternal(CtmsScheduledJob.java:27)
> > at
> >
> org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86)
> > at
> >
> org.quartz.core.JobRunShell.run(JobRunShell.java:202)
> > at
> > org.quartz.simpl.SimpleThreadPool
> >
> $WorkerThread.run(SimpleThreadPool.java:525)
> > Caused by:
> > com.jcraft.jsch.JSchException:
> > connection is closed by foreign host
> > at
> > com.jcraft.jsch.Session.connect(Unknown
> Source)
> > at
> > com.jcraft.jsch.Session.connect(Unknown
> Source)
> > at
> >
> com.example.edisn.sftp.SftpSession.doSession(SftpSession.java:45)
> > ... 5 more
> >
> >
> >
> >
> > On Fri, Jul 5, 2013 at 3:27 PM, Balazs
> > Scheidler <bazsi77 at gmail.com> wrote:
> > No, I implemented a different
> > multiline style support first
> > (that is not in pe), where
> > continuation lines are
> > indicated by indentation, like
> > mime.
> >
> > Iirc tomcat has this kind of
> > log file. Can you show a
> > sample log entry?
> >
> > The infrastructure for
> > multiline-prefix is also there
> > but not added yet.
> >
> > Let me see the sample, I'll
> > tell if the current solution
> > works or not.
> >
> > On Jul 5, 2013 8:24 PM,
> > "Satish Patel"
> > <satish.txt at gmail.com> wrote:
> > Thanks for reply
> > Balazs,
> >
> >
> > You mean say this
> > feature is available
> > in Open Source Edition
> > (OSE) 3.4? Once after
> > specifying flag
> > "indented-multi-line"
> > i can use
> > multi-line-prefix?
> >
> >
> >
> > On Fri, Jul 5, 2013 at
> > 1:26 PM, Balazs
> > Scheidler
> > <bazsi77 at gmail.com>
> > wrote:
> > You have found
> > the PE
> > documentation
> > but I have
> > already ported
> > this to the
> > OSE tree and
> > has been
> > released as
> > part of 3.4.
> >
> > You have to
> > specify
> >
> indented-multi-line as a flag to the file source.
> >
> > On Jul 5, 2013
> > 6:28 PM,
> > "Satish Patel"
> > <
> satish.txt at gmail.com> wrote:
> >
> > We
> > have
> > tomcat
> > shop
> > and at
> > everyone
> know tomcat has a java call trace in logs with tab space but syslog-ng
> doesn't know about it and printing lines as a new line. I have read here
> syslog-ng 3.x does support multi-line logs
> http://www.balabit.com/sites/default/files/documents/syslog-ng-pe-4.0-guides/en/syslog-ng-pe-v4.0-guide-admin-en/html/reference_source_syslog.html
> >
> >
> > But
> > does
> > this
> > feature
> available in Open Source syslog-ng? If yes then why its not working for me?
> >
> >
> >
> >
> ______________________________________________________________________________
> > Member
> > info:
> >
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ:
> >
> http://www.balabit.com/wiki/syslog-ng-faq
> >
> >
> >
> >
> ______________________________________________________________________________
> > Member info:
> >
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> >
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ:
> >
> http://www.balabit.com/wiki/syslog-ng-faq
> >
> >
> >
> >
> >
> >
> ______________________________________________________________________________
> > Member info:
> >
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> >
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ:
> >
> http://www.balabit.com/wiki/syslog-ng-faq
> >
> >
> >
> >
> ______________________________________________________________________________
> > Member info:
> >
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> >
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ:
> >
> http://www.balabit.com/wiki/syslog-ng-faq
> >
> >
> >
> >
> >
> >
> ______________________________________________________________________________
> > Member info:
> >
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> >
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ:
> >
> http://www.balabit.com/wiki/syslog-ng-faq
> >
> >
> >
> >
> ______________________________________________________________________________
> > Member info:
> >
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> >
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >
> >
> >
> >
> >
> >
> >
> >
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 11 Jul 2013 10:22:45 -0400
> From: Satish Patel <satish.txt at gmail.com>
> Subject: Re: [syslog-ng] Multi-line support issue
> To: "Syslog-ng users' and developers' mailing list"
> <syslog-ng at lists.balabit.hu>
> Message-ID:
> <CAPgF-fpPdRswwj2HNUXAxfgRekHVhwwF6O=
> 7N39q9mfggN-nUQ at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> This is my source declaration and i have put flags which you have
> mentioned.
>
> source s_tomcat {
> syslog( transport("udp") flags(indent-multi-line));
> };
>
> I got following error when i am trying to put flags
>
> Error parsing afsocket, Unknown flag indent-multi-line in
> /usr/local/syslog-ng-3.4.2/etc/syslog-ng.conf at line 54, column 33:
>
> syslog( transport("udp") flags(indent-multi-line) );
> ^^^^^^^^^^^^^^^^^
>
>
>
>
> On Thu, Jul 11, 2013 at 7:53 AM, Balazs Scheidler <bazsi at balabit.hu>
> wrote:
>
> >
> > I can't see the source declaration, it must be something along the lines
> > of:
> >
> > source s_tomcat {
> > file("/var/log/tomcat/xxx.log" flags(indent-multi-line));
> > };
> >
> > On Wed, 2013-07-10 at 12:54 -0400, Satish Patel wrote:
> > > Hi Balazs,
> > >
> > >
> > > what is your thought about my config? did you see?
> > >
> > >
> > >
> > > On Mon, Jul 8, 2013 at 12:30 PM, Satish Patel <satish.txt at gmail.com>
> > > wrote:
> > > This is what i have configured and no luck with it.. can you
> > > suggest what i am missing?
> > >
> > > destination d02_tc74_log
> > > { file("/logs/server1/tomcat7.4/catalina_$YEAR$MONTH$DAY.log"
> > > template("$(indent-multi-line ${MESSAGE})\n")
> > > template(t_tomcatlog) owner("root") group("root") perm(0644)
> > > dir_perm(0755) create_dirs(yes)); };
> > > filter server1 { host("server1.example.com") };
> > > log {
> > > source (s_tomcat);
> > > filter (server1);
> > > filter (tomcat7_4);
> > > destination (d02_tc74_log);
> > > };
> > >
> > >
> > >
> > >
> > > On Mon, Jul 8, 2013 at 12:08 PM, Satish Patel
> > > <satish.txt at gmail.com> wrote:
> > > How do i use indented-multi-line ? I meant where do i
> > > configure it? I tried but my syslog-ng doesn't
> > > recognizing this option i have syslog-ng 3.3.7 could
> > > you give me example where and how do i check whether
> > > it is supported or not
> > >
> > >
> > >
> > > On Sat, Jul 6, 2013 at 2:12 AM, Balazs Scheidler
> > > <bazsi77 at gmail.com> wrote:
> > > This looks.like the format that should be
> > > supported by indented-multi-line
> > >
> > > On Jul 5, 2013 9:33 PM, "Satish Patel"
> > > <satish.txt at gmail.com> wrote:
> > > Here is my tomcat catalina.out log
> > > file sample. See there is a tab space
> > > in logs
> > >
> > > 2013-06-27 05:30:00,065
> > > [EDISN-Scheduler_Worker-2] ERROR
> > > com.example.edisn.sftp.SftpSession -
> > > Exception attempting to work with an
> > > SFTP Session: connection is closed by
> > > foreign host
> > > 2013-06-27 05:30:00,066
> > > [EDISN-Scheduler_Worker-2] ERROR
> > > org.quartz.core.JobRunShell - Job
> > > EDISN.CTMS_Upload threw an unhandled
> > > Exception:
> > >
> com.example.edisn.EdisnRuntimeException:
> > Exception attempting to work with an SFTP Session: connection is closed
> by
> > foreign host
> > > at
> > >
> > com.example.edisn.sftp.SftpSession.doSession(SftpSession.java:64)
> > > at
> > >
> > com.example.edisn.EdisnSession.exec(EdisnSession.java:13)
> > > at
> > >
> >
> com.example.ctms.CtmsScheduledJob.executeInternal(CtmsScheduledJob.java:27)
> > > at
> > >
> >
> org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86)
> > > at
> > >
> > org.quartz.core.JobRunShell.run(JobRunShell.java:202)
> > > at
> > > org.quartz.simpl.SimpleThreadPool
> > >
> > $WorkerThread.run(SimpleThreadPool.java:525)
> > > Caused by:
> > > com.jcraft.jsch.JSchException:
> > > connection is closed by foreign host
> > > at
> > > com.jcraft.jsch.Session.connect(Unknown
> > Source)
> > > at
> > > com.jcraft.jsch.Session.connect(Unknown
> > Source)
> > > at
> > >
> > com.example.edisn.sftp.SftpSession.doSession(SftpSession.java:45)
> > > ... 5 more
> > >
> > >
> > >
> > >
> > > On Fri, Jul 5, 2013 at 3:27 PM, Balazs
> > > Scheidler <bazsi77 at gmail.com> wrote:
> > > No, I implemented a different
> > > multiline style support first
> > > (that is not in pe), where
> > > continuation lines are
> > > indicated by indentation, like
> > > mime.
> > >
> > > Iirc tomcat has this kind of
> > > log file. Can you show a
> > > sample log entry?
> > >
> > > The infrastructure for
> > > multiline-prefix is also there
> > > but not added yet.
> > >
> > > Let me see the sample, I'll
> > > tell if the current solution
> > > works or not.
> > >
> > > On Jul 5, 2013 8:24 PM,
> > > "Satish Patel"
> > > <satish.txt at gmail.com> wrote:
> > > Thanks for reply
> > > Balazs,
> > >
> > >
> > > You mean say this
> > > feature is available
> > > in Open Source Edition
> > > (OSE) 3.4? Once after
> > > specifying flag
> > > "indented-multi-line"
> > > i can use
> > > multi-line-prefix?
> > >
> > >
> > >
> > > On Fri, Jul 5, 2013 at
> > > 1:26 PM, Balazs
> > > Scheidler
> > > <bazsi77 at gmail.com>
> > > wrote:
> > > You have found
> > > the PE
> > > documentation
> > > but I have
> > > already ported
> > > this to the
> > > OSE tree and
> > > has been
> > > released as
> > > part of 3.4.
> > >
> > > You have to
> > > specify
> > >
> > indented-multi-line as a flag to the file source.
> > >
> > > On Jul 5, 2013
> > > 6:28 PM,
> > > "Satish Patel"
> > > <
> > satish.txt at gmail.com> wrote:
> > >
> > > We
> > > have
> > > tomcat
> > > shop
> > > and at
> > >
> everyone
> > know tomcat has a java call trace in logs with tab space but syslog-ng
> > doesn't know about it and printing lines as a new line. I have read here
> > syslog-ng 3.x does support multi-line logs
> >
> http://www.balabit.com/sites/default/files/documents/syslog-ng-pe-4.0-guides/en/syslog-ng-pe-v4.0-guide-admin-en/html/reference_source_syslog.html
> > >
> > >
> > > But
> > > does
> > > this
> > > feature
> > available in Open Source syslog-ng? If yes then why its not working for
> me?
> > >
> > >
> > >
> > >
> >
> ______________________________________________________________________________
> > > Member
> > > info:
> > >
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > >
> > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > > FAQ:
> > >
> > http://www.balabit.com/wiki/syslog-ng-faq
> > >
> > >
> > >
> > >
> >
> ______________________________________________________________________________
> > > Member info:
> > >
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > Documentation:
> > >
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > > FAQ:
> > >
> > http://www.balabit.com/wiki/syslog-ng-faq
> > >
> > >
> > >
> > >
> > >
> > >
> >
> ______________________________________________________________________________
> > > Member info:
> > >
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > Documentation:
> > >
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > > FAQ:
> > >
> > http://www.balabit.com/wiki/syslog-ng-faq
> > >
> > >
> > >
> > >
> >
> ______________________________________________________________________________
> > > Member info:
> > >
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > Documentation:
> > >
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > > FAQ:
> > >
> > http://www.balabit.com/wiki/syslog-ng-faq
> > >
> > >
> > >
> > >
> > >
> > >
> >
> ______________________________________________________________________________
> > > Member info:
> > >
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > Documentation:
> > >
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > > FAQ:
> > >
> > http://www.balabit.com/wiki/syslog-ng-faq
> > >
> > >
> > >
> > >
> >
> ______________________________________________________________________________
> > > Member info:
> > >
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > Documentation:
> > >
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> ______________________________________________________________________________
> > > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> > >
> >
> >
> >
> >
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130711/9bdf663a/attachment.htm
>
> ------------------------------
>
> _______________________________________________
> syslog-ng maillist - syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>
>
> End of syslog-ng Digest, Vol 99, Issue 9
> ****************************************
>
--
Yarick Tsagoyko
yarick at yarick.com
+1 443 255 2388
Advisory Notice: Email is covered by the Electronic Communications Privacy
Act and is legally privileged, but inherently insecure. Content may be
subject to alteration: email addresses may incorrectly identify the sender.
This email transmission, and any documents, files, or previous email
messages attached to it may be privileged and confidential, and are
intended only for the use of the recipient(s) named in the address field.
If the reader of this message is not an intended recipient, or the employee
or agent responsible to deliver it to the recipient, you are hereby
notified that any dissemination, distribution, or copying of this message
or its contents is strictly prohibited. If you have received this message
in error, please notify me by telephone or return email and delete it and
any attachments from your computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130711/b7e0bdbb/attachment-0001.htm
More information about the syslog-ng
mailing list