[syslog-ng] Multi-line support issue
Satish Patel
satish.txt at gmail.com
Thu Jul 11 21:37:34 CEST 2013
I have upgrade 3.5 but i am having still having issue it is not supporting
that option on UDP source. Can you confirm it does support on UDP/TCP?
On Thu, Jul 11, 2013 at 12:54 PM, Satish Patel <satish.txt at gmail.com> wrote:
> ah!!! where do i download 3.5 OpenSource? could you please point me out..
> also in my case i am using UDP port for source so my syntex would be like
> following? right?
>
> source s_tomcat {
> syslog( transport("udp") multi-line-mode(indented));
> };
>
>
> On Thu, Jul 11, 2013 at 12:40 PM, Balazs Scheidler <bazsi77 at gmail.com>wrote:
>
>> My gosh, I incorrectly remembered a number of vital details, sorry for
>> that.
>>
>> The syntax has been changed from the flags format, it's like this:
>>
>> file('tomcat.log' multi-line-mode(indented));
>>
>> I have actually tried this one, however I have one other bad news, this
>> feature missed 3.4 so it's only available in the 3.5 branch. IIRC Algernon
>> already published 3.5 binaries for Debian/Ubuntu distros.
>> On Jul 11, 2013 4:22 PM, "Satish Patel" <satish.txt at gmail.com> wrote:
>>
>>> This is my source declaration and i have put flags which you have
>>> mentioned.
>>>
>>> source s_tomcat {
>>> syslog( transport("udp") flags(indent-multi-line));
>>> };
>>>
>>> I got following error when i am trying to put flags
>>>
>>> Error parsing afsocket, Unknown flag indent-multi-line in
>>> /usr/local/syslog-ng-3.4.2/etc/syslog-ng.conf at line 54, column 33:
>>>
>>> syslog( transport("udp") flags(indent-multi-line) );
>>> ^^^^^^^^^^^^^^^^^
>>>
>>>
>>>
>>>
>>> On Thu, Jul 11, 2013 at 7:53 AM, Balazs Scheidler <bazsi at balabit.hu>wrote:
>>>
>>>>
>>>> I can't see the source declaration, it must be something along the lines
>>>> of:
>>>>
>>>> source s_tomcat {
>>>> file("/var/log/tomcat/xxx.log" flags(indent-multi-line));
>>>> };
>>>>
>>>> On Wed, 2013-07-10 at 12:54 -0400, Satish Patel wrote:
>>>> > Hi Balazs,
>>>> >
>>>> >
>>>> > what is your thought about my config? did you see?
>>>> >
>>>> >
>>>> >
>>>> > On Mon, Jul 8, 2013 at 12:30 PM, Satish Patel <satish.txt at gmail.com>
>>>> > wrote:
>>>> > This is what i have configured and no luck with it.. can you
>>>> > suggest what i am missing?
>>>> >
>>>> > destination d02_tc74_log
>>>> > { file("/logs/server1/tomcat7.4/catalina_$YEAR$MONTH$DAY.log"
>>>> > template("$(indent-multi-line ${MESSAGE})\n")
>>>> > template(t_tomcatlog) owner("root") group("root") perm(0644)
>>>> > dir_perm(0755) create_dirs(yes)); };
>>>> > filter server1 { host("server1.example.com") };
>>>> > log {
>>>> > source (s_tomcat);
>>>> > filter (server1);
>>>> > filter (tomcat7_4);
>>>> > destination (d02_tc74_log);
>>>> > };
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > On Mon, Jul 8, 2013 at 12:08 PM, Satish Patel
>>>> > <satish.txt at gmail.com> wrote:
>>>> > How do i use indented-multi-line ? I meant where do i
>>>> > configure it? I tried but my syslog-ng doesn't
>>>> > recognizing this option i have syslog-ng 3.3.7 could
>>>> > you give me example where and how do i check whether
>>>> > it is supported or not
>>>> >
>>>> >
>>>> >
>>>> > On Sat, Jul 6, 2013 at 2:12 AM, Balazs Scheidler
>>>> > <bazsi77 at gmail.com> wrote:
>>>> > This looks.like the format that should be
>>>> > supported by indented-multi-line
>>>> >
>>>> > On Jul 5, 2013 9:33 PM, "Satish Patel"
>>>> > <satish.txt at gmail.com> wrote:
>>>> > Here is my tomcat catalina.out log
>>>> > file sample. See there is a tab space
>>>> > in logs
>>>> >
>>>> > 2013-06-27 05:30:00,065
>>>> > [EDISN-Scheduler_Worker-2] ERROR
>>>> > com.example.edisn.sftp.SftpSession -
>>>> > Exception attempting to work with an
>>>> > SFTP Session: connection is closed by
>>>> > foreign host
>>>> > 2013-06-27 05:30:00,066
>>>> > [EDISN-Scheduler_Worker-2] ERROR
>>>> > org.quartz.core.JobRunShell - Job
>>>> > EDISN.CTMS_Upload threw an unhandled
>>>> > Exception:
>>>> >
>>>> com.example.edisn.EdisnRuntimeException: Exception attempting to work with
>>>> an SFTP Session: connection is closed by foreign host
>>>> > at
>>>> >
>>>> com.example.edisn.sftp.SftpSession.doSession(SftpSession.java:64)
>>>> > at
>>>> >
>>>> com.example.edisn.EdisnSession.exec(EdisnSession.java:13)
>>>> > at
>>>> >
>>>> com.example.ctms.CtmsScheduledJob.executeInternal(CtmsScheduledJob.java:27)
>>>> > at
>>>> >
>>>> org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86)
>>>> > at
>>>> >
>>>> org.quartz.core.JobRunShell.run(JobRunShell.java:202)
>>>> > at
>>>> > org.quartz.simpl.SimpleThreadPool
>>>> >
>>>> $WorkerThread.run(SimpleThreadPool.java:525)
>>>> > Caused by:
>>>> > com.jcraft.jsch.JSchException:
>>>> > connection is closed by foreign host
>>>> > at
>>>> >
>>>> com.jcraft.jsch.Session.connect(Unknown Source)
>>>> > at
>>>> >
>>>> com.jcraft.jsch.Session.connect(Unknown Source)
>>>> > at
>>>> >
>>>> com.example.edisn.sftp.SftpSession.doSession(SftpSession.java:45)
>>>> > ... 5 more
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > On Fri, Jul 5, 2013 at 3:27 PM, Balazs
>>>> > Scheidler <bazsi77 at gmail.com> wrote:
>>>> > No, I implemented a different
>>>> > multiline style support first
>>>> > (that is not in pe), where
>>>> > continuation lines are
>>>> > indicated by indentation, like
>>>> > mime.
>>>> >
>>>> > Iirc tomcat has this kind of
>>>> > log file. Can you show a
>>>> > sample log entry?
>>>> >
>>>> > The infrastructure for
>>>> > multiline-prefix is also there
>>>> > but not added yet.
>>>> >
>>>> > Let me see the sample, I'll
>>>> > tell if the current solution
>>>> > works or not.
>>>> >
>>>> > On Jul 5, 2013 8:24 PM,
>>>> > "Satish Patel"
>>>> > <satish.txt at gmail.com> wrote:
>>>> > Thanks for reply
>>>> > Balazs,
>>>> >
>>>> >
>>>> > You mean say this
>>>> > feature is available
>>>> > in Open Source Edition
>>>> > (OSE) 3.4? Once after
>>>> > specifying flag
>>>> > "indented-multi-line"
>>>> > i can use
>>>> > multi-line-prefix?
>>>> >
>>>> >
>>>> >
>>>> > On Fri, Jul 5, 2013 at
>>>> > 1:26 PM, Balazs
>>>> > Scheidler
>>>> > <bazsi77 at gmail.com>
>>>> > wrote:
>>>> > You have found
>>>> > the PE
>>>> > documentation
>>>> > but I have
>>>> > already ported
>>>> > this to the
>>>> > OSE tree and
>>>> > has been
>>>> > released as
>>>> > part of 3.4.
>>>> >
>>>> > You have to
>>>> > specify
>>>> >
>>>> indented-multi-line as a flag to the file source.
>>>> >
>>>> > On Jul 5, 2013
>>>> > 6:28 PM,
>>>> > "Satish Patel"
>>>> > <
>>>> satish.txt at gmail.com> wrote:
>>>> >
>>>> > We
>>>> > have
>>>> > tomcat
>>>> > shop
>>>> > and at
>>>> >
>>>> everyone know tomcat has a java call trace in logs with tab space but
>>>> syslog-ng doesn't know about it and printing lines as a new line. I have
>>>> read here syslog-ng 3.x does support multi-line logs
>>>> http://www.balabit.com/sites/default/files/documents/syslog-ng-pe-4.0-guides/en/syslog-ng-pe-v4.0-guide-admin-en/html/reference_source_syslog.html
>>>> >
>>>> >
>>>> > But
>>>> > does
>>>> > this
>>>> >
>>>> feature available in Open Source syslog-ng? If yes then why its not working
>>>> for me?
>>>> >
>>>> >
>>>> >
>>>> >
>>>> ______________________________________________________________________________
>>>> > Member
>>>> > info:
>>>> >
>>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> >
>>>> Documentation:
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> > FAQ:
>>>> >
>>>> http://www.balabit.com/wiki/syslog-ng-faq
>>>> >
>>>> >
>>>> >
>>>> >
>>>> ______________________________________________________________________________
>>>> > Member info:
>>>> >
>>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> > Documentation:
>>>> >
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> > FAQ:
>>>> >
>>>> http://www.balabit.com/wiki/syslog-ng-faq
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> ______________________________________________________________________________
>>>> > Member info:
>>>> >
>>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> > Documentation:
>>>> >
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> > FAQ:
>>>> >
>>>> http://www.balabit.com/wiki/syslog-ng-faq
>>>> >
>>>> >
>>>> >
>>>> >
>>>> ______________________________________________________________________________
>>>> > Member info:
>>>> >
>>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> > Documentation:
>>>> >
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> > FAQ:
>>>> >
>>>> http://www.balabit.com/wiki/syslog-ng-faq
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> ______________________________________________________________________________
>>>> > Member info:
>>>> >
>>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> > Documentation:
>>>> >
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> > FAQ:
>>>> >
>>>> http://www.balabit.com/wiki/syslog-ng-faq
>>>> >
>>>> >
>>>> >
>>>> >
>>>> ______________________________________________________________________________
>>>> > Member info:
>>>> >
>>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> > Documentation:
>>>> >
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> > FAQ:
>>>> http://www.balabit.com/wiki/syslog-ng-faq
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> ______________________________________________________________________________
>>>> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> > Documentation:
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>> >
>>>>
>>>>
>>>>
>>>>
>>>> ______________________________________________________________________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation:
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>
>>>>
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130711/f7e0661d/attachment-0001.htm
More information about the syslog-ng
mailing list