[syslog-ng] Multi-line support issue
Satish Patel
satish.txt at gmail.com
Thu Jul 11 18:54:27 CEST 2013
ah!!! where do i download 3.5 OpenSource? could you please point me out..
also in my case i am using UDP port for source so my syntex would be like
following? right?
source s_tomcat {
syslog( transport("udp") multi-line-mode(indented));
};
On Thu, Jul 11, 2013 at 12:40 PM, Balazs Scheidler <bazsi77 at gmail.com>wrote:
> My gosh, I incorrectly remembered a number of vital details, sorry for
> that.
>
> The syntax has been changed from the flags format, it's like this:
>
> file('tomcat.log' multi-line-mode(indented));
>
> I have actually tried this one, however I have one other bad news, this
> feature missed 3.4 so it's only available in the 3.5 branch. IIRC Algernon
> already published 3.5 binaries for Debian/Ubuntu distros.
> On Jul 11, 2013 4:22 PM, "Satish Patel" <satish.txt at gmail.com> wrote:
>
>> This is my source declaration and i have put flags which you have
>> mentioned.
>>
>> source s_tomcat {
>> syslog( transport("udp") flags(indent-multi-line));
>> };
>>
>> I got following error when i am trying to put flags
>>
>> Error parsing afsocket, Unknown flag indent-multi-line in
>> /usr/local/syslog-ng-3.4.2/etc/syslog-ng.conf at line 54, column 33:
>>
>> syslog( transport("udp") flags(indent-multi-line) );
>> ^^^^^^^^^^^^^^^^^
>>
>>
>>
>>
>> On Thu, Jul 11, 2013 at 7:53 AM, Balazs Scheidler <bazsi at balabit.hu>wrote:
>>
>>>
>>> I can't see the source declaration, it must be something along the lines
>>> of:
>>>
>>> source s_tomcat {
>>> file("/var/log/tomcat/xxx.log" flags(indent-multi-line));
>>> };
>>>
>>> On Wed, 2013-07-10 at 12:54 -0400, Satish Patel wrote:
>>> > Hi Balazs,
>>> >
>>> >
>>> > what is your thought about my config? did you see?
>>> >
>>> >
>>> >
>>> > On Mon, Jul 8, 2013 at 12:30 PM, Satish Patel <satish.txt at gmail.com>
>>> > wrote:
>>> > This is what i have configured and no luck with it.. can you
>>> > suggest what i am missing?
>>> >
>>> > destination d02_tc74_log
>>> > { file("/logs/server1/tomcat7.4/catalina_$YEAR$MONTH$DAY.log"
>>> > template("$(indent-multi-line ${MESSAGE})\n")
>>> > template(t_tomcatlog) owner("root") group("root") perm(0644)
>>> > dir_perm(0755) create_dirs(yes)); };
>>> > filter server1 { host("server1.example.com") };
>>> > log {
>>> > source (s_tomcat);
>>> > filter (server1);
>>> > filter (tomcat7_4);
>>> > destination (d02_tc74_log);
>>> > };
>>> >
>>> >
>>> >
>>> >
>>> > On Mon, Jul 8, 2013 at 12:08 PM, Satish Patel
>>> > <satish.txt at gmail.com> wrote:
>>> > How do i use indented-multi-line ? I meant where do i
>>> > configure it? I tried but my syslog-ng doesn't
>>> > recognizing this option i have syslog-ng 3.3.7 could
>>> > you give me example where and how do i check whether
>>> > it is supported or not
>>> >
>>> >
>>> >
>>> > On Sat, Jul 6, 2013 at 2:12 AM, Balazs Scheidler
>>> > <bazsi77 at gmail.com> wrote:
>>> > This looks.like the format that should be
>>> > supported by indented-multi-line
>>> >
>>> > On Jul 5, 2013 9:33 PM, "Satish Patel"
>>> > <satish.txt at gmail.com> wrote:
>>> > Here is my tomcat catalina.out log
>>> > file sample. See there is a tab space
>>> > in logs
>>> >
>>> > 2013-06-27 05:30:00,065
>>> > [EDISN-Scheduler_Worker-2] ERROR
>>> > com.example.edisn.sftp.SftpSession -
>>> > Exception attempting to work with an
>>> > SFTP Session: connection is closed by
>>> > foreign host
>>> > 2013-06-27 05:30:00,066
>>> > [EDISN-Scheduler_Worker-2] ERROR
>>> > org.quartz.core.JobRunShell - Job
>>> > EDISN.CTMS_Upload threw an unhandled
>>> > Exception:
>>> >
>>> com.example.edisn.EdisnRuntimeException: Exception attempting to work with
>>> an SFTP Session: connection is closed by foreign host
>>> > at
>>> >
>>> com.example.edisn.sftp.SftpSession.doSession(SftpSession.java:64)
>>> > at
>>> >
>>> com.example.edisn.EdisnSession.exec(EdisnSession.java:13)
>>> > at
>>> >
>>> com.example.ctms.CtmsScheduledJob.executeInternal(CtmsScheduledJob.java:27)
>>> > at
>>> >
>>> org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86)
>>> > at
>>> >
>>> org.quartz.core.JobRunShell.run(JobRunShell.java:202)
>>> > at
>>> > org.quartz.simpl.SimpleThreadPool
>>> >
>>> $WorkerThread.run(SimpleThreadPool.java:525)
>>> > Caused by:
>>> > com.jcraft.jsch.JSchException:
>>> > connection is closed by foreign host
>>> > at
>>> >
>>> com.jcraft.jsch.Session.connect(Unknown Source)
>>> > at
>>> >
>>> com.jcraft.jsch.Session.connect(Unknown Source)
>>> > at
>>> >
>>> com.example.edisn.sftp.SftpSession.doSession(SftpSession.java:45)
>>> > ... 5 more
>>> >
>>> >
>>> >
>>> >
>>> > On Fri, Jul 5, 2013 at 3:27 PM, Balazs
>>> > Scheidler <bazsi77 at gmail.com> wrote:
>>> > No, I implemented a different
>>> > multiline style support first
>>> > (that is not in pe), where
>>> > continuation lines are
>>> > indicated by indentation, like
>>> > mime.
>>> >
>>> > Iirc tomcat has this kind of
>>> > log file. Can you show a
>>> > sample log entry?
>>> >
>>> > The infrastructure for
>>> > multiline-prefix is also there
>>> > but not added yet.
>>> >
>>> > Let me see the sample, I'll
>>> > tell if the current solution
>>> > works or not.
>>> >
>>> > On Jul 5, 2013 8:24 PM,
>>> > "Satish Patel"
>>> > <satish.txt at gmail.com> wrote:
>>> > Thanks for reply
>>> > Balazs,
>>> >
>>> >
>>> > You mean say this
>>> > feature is available
>>> > in Open Source Edition
>>> > (OSE) 3.4? Once after
>>> > specifying flag
>>> > "indented-multi-line"
>>> > i can use
>>> > multi-line-prefix?
>>> >
>>> >
>>> >
>>> > On Fri, Jul 5, 2013 at
>>> > 1:26 PM, Balazs
>>> > Scheidler
>>> > <bazsi77 at gmail.com>
>>> > wrote:
>>> > You have found
>>> > the PE
>>> > documentation
>>> > but I have
>>> > already ported
>>> > this to the
>>> > OSE tree and
>>> > has been
>>> > released as
>>> > part of 3.4.
>>> >
>>> > You have to
>>> > specify
>>> >
>>> indented-multi-line as a flag to the file source.
>>> >
>>> > On Jul 5, 2013
>>> > 6:28 PM,
>>> > "Satish Patel"
>>> > <
>>> satish.txt at gmail.com> wrote:
>>> >
>>> > We
>>> > have
>>> > tomcat
>>> > shop
>>> > and at
>>> >
>>> everyone know tomcat has a java call trace in logs with tab space but
>>> syslog-ng doesn't know about it and printing lines as a new line. I have
>>> read here syslog-ng 3.x does support multi-line logs
>>> http://www.balabit.com/sites/default/files/documents/syslog-ng-pe-4.0-guides/en/syslog-ng-pe-v4.0-guide-admin-en/html/reference_source_syslog.html
>>> >
>>> >
>>> > But
>>> > does
>>> > this
>>> >
>>> feature available in Open Source syslog-ng? If yes then why its not working
>>> for me?
>>> >
>>> >
>>> >
>>> >
>>> ______________________________________________________________________________
>>> > Member
>>> > info:
>>> >
>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> >
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> > FAQ:
>>> >
>>> http://www.balabit.com/wiki/syslog-ng-faq
>>> >
>>> >
>>> >
>>> >
>>> ______________________________________________________________________________
>>> > Member info:
>>> >
>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> > Documentation:
>>> >
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> > FAQ:
>>> >
>>> http://www.balabit.com/wiki/syslog-ng-faq
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> ______________________________________________________________________________
>>> > Member info:
>>> >
>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> > Documentation:
>>> >
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> > FAQ:
>>> >
>>> http://www.balabit.com/wiki/syslog-ng-faq
>>> >
>>> >
>>> >
>>> >
>>> ______________________________________________________________________________
>>> > Member info:
>>> >
>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> > Documentation:
>>> >
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> > FAQ:
>>> >
>>> http://www.balabit.com/wiki/syslog-ng-faq
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> ______________________________________________________________________________
>>> > Member info:
>>> >
>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> > Documentation:
>>> >
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> > FAQ:
>>> >
>>> http://www.balabit.com/wiki/syslog-ng-faq
>>> >
>>> >
>>> >
>>> >
>>> ______________________________________________________________________________
>>> > Member info:
>>> >
>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> > Documentation:
>>> >
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> ______________________________________________________________________________
>>> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> > Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>> >
>>>
>>>
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130711/377e2eb5/attachment-0001.htm
More information about the syslog-ng
mailing list