[syslog-ng] Multi-line support issue
Balazs Scheidler
bazsi77 at gmail.com
Thu Jul 11 23:03:54 CEST 2013
It's abailable in the git repo, Algernon (cc) may have published binaries.
For syslog(transport(udp)) you don't need this flag, as UDP supports
multiline just fine. The original sender decides whether it sends the
message with newlines or not. What client sends you messages?
On Jul 11, 2013 6:54 PM, "Satish Patel" <satish.txt at gmail.com> wrote:
> ah!!! where do i download 3.5 OpenSource? could you please point me out..
> also in my case i am using UDP port for source so my syntex would be like
> following? right?
>
> source s_tomcat {
> syslog( transport("udp") multi-line-mode(indented));
> };
>
>
> On Thu, Jul 11, 2013 at 12:40 PM, Balazs Scheidler <bazsi77 at gmail.com>wrote:
>
>> My gosh, I incorrectly remembered a number of vital details, sorry for
>> that.
>>
>> The syntax has been changed from the flags format, it's like this:
>>
>> file('tomcat.log' multi-line-mode(indented));
>>
>> I have actually tried this one, however I have one other bad news, this
>> feature missed 3.4 so it's only available in the 3.5 branch. IIRC Algernon
>> already published 3.5 binaries for Debian/Ubuntu distros.
>> On Jul 11, 2013 4:22 PM, "Satish Patel" <satish.txt at gmail.com> wrote:
>>
>>> This is my source declaration and i have put flags which you have
>>> mentioned.
>>>
>>> source s_tomcat {
>>> syslog( transport("udp") flags(indent-multi-line));
>>> };
>>>
>>> I got following error when i am trying to put flags
>>>
>>> Error parsing afsocket, Unknown flag indent-multi-line in
>>> /usr/local/syslog-ng-3.4.2/etc/syslog-ng.conf at line 54, column 33:
>>>
>>> syslog( transport("udp") flags(indent-multi-line) );
>>> ^^^^^^^^^^^^^^^^^
>>>
>>>
>>>
>>>
>>> On Thu, Jul 11, 2013 at 7:53 AM, Balazs Scheidler <bazsi at balabit.hu>wrote:
>>>
>>>>
>>>> I can't see the source declaration, it must be something along the lines
>>>> of:
>>>>
>>>> source s_tomcat {
>>>> file("/var/log/tomcat/xxx.log" flags(indent-multi-line));
>>>> };
>>>>
>>>> On Wed, 2013-07-10 at 12:54 -0400, Satish Patel wrote:
>>>> > Hi Balazs,
>>>> >
>>>> >
>>>> > what is your thought about my config? did you see?
>>>> >
>>>> >
>>>> >
>>>> > On Mon, Jul 8, 2013 at 12:30 PM, Satish Patel <satish.txt at gmail.com>
>>>> > wrote:
>>>> > This is what i have configured and no luck with it.. can you
>>>> > suggest what i am missing?
>>>> >
>>>> > destination d02_tc74_log
>>>> > { file("/logs/server1/tomcat7.4/catalina_$YEAR$MONTH$DAY.log"
>>>> > template("$(indent-multi-line ${MESSAGE})\n")
>>>> > template(t_tomcatlog) owner("root") group("root") perm(0644)
>>>> > dir_perm(0755) create_dirs(yes)); };
>>>> > filter server1 { host("server1.example.com") };
>>>> > log {
>>>> > source (s_tomcat);
>>>> > filter (server1);
>>>> > filter (tomcat7_4);
>>>> > destination (d02_tc74_log);
>>>> > };
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > On Mon, Jul 8, 2013 at 12:08 PM, Satish Patel
>>>> > <satish.txt at gmail.com> wrote:
>>>> > How do i use indented-multi-line ? I meant where do i
>>>> > configure it? I tried but my syslog-ng doesn't
>>>> > recognizing this option i have syslog-ng 3.3.7 could
>>>> > you give me example where and how do i check whether
>>>> > it is supported or not
>>>> >
>>>> >
>>>> >
>>>> > On Sat, Jul 6, 2013 at 2:12 AM, Balazs Scheidler
>>>> > <bazsi77 at gmail.com> wrote:
>>>> > This looks.like the format that should be
>>>> > supported by indented-multi-line
>>>> >
>>>> > On Jul 5, 2013 9:33 PM, "Satish Patel"
>>>> > <satish.txt at gmail.com> wrote:
>>>> > Here is my tomcat catalina.out log
>>>> > file sample. See there is a tab space
>>>> > in logs
>>>> >
>>>> > 2013-06-27 05:30:00,065
>>>> > [EDISN-Scheduler_Worker-2] ERROR
>>>> > com.example.edisn.sftp.SftpSession -
>>>> > Exception attempting to work with an
>>>> > SFTP Session: connection is closed by
>>>> > foreign host
>>>> > 2013-06-27 05:30:00,066
>>>> > [EDISN-Scheduler_Worker-2] ERROR
>>>> > org.quartz.core.JobRunShell - Job
>>>> > EDISN.CTMS_Upload threw an unhandled
>>>> > Exception:
>>>> >
>>>> com.example.edisn.EdisnRuntimeException: Exception attempting to work with
>>>> an SFTP Session: connection is closed by foreign host
>>>> > at
>>>> >
>>>> com.example.edisn.sftp.SftpSession.doSession(SftpSession.java:64)
>>>> > at
>>>> >
>>>> com.example.edisn.EdisnSession.exec(EdisnSession.java:13)
>>>> > at
>>>> >
>>>> com.example.ctms.CtmsScheduledJob.executeInternal(CtmsScheduledJob.java:27)
>>>> > at
>>>> >
>>>> org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86)
>>>> > at
>>>> >
>>>> org.quartz.core.JobRunShell.run(JobRunShell.java:202)
>>>> > at
>>>> > org.quartz.simpl.SimpleThreadPool
>>>> >
>>>> $WorkerThread.run(SimpleThreadPool.java:525)
>>>> > Caused by:
>>>> > com.jcraft.jsch.JSchException:
>>>> > connection is closed by foreign host
>>>> > at
>>>> >
>>>> com.jcraft.jsch.Session.connect(Unknown Source)
>>>> > at
>>>> >
>>>> com.jcraft.jsch.Session.connect(Unknown Source)
>>>> > at
>>>> >
>>>> com.example.edisn.sftp.SftpSession.doSession(SftpSession.java:45)
>>>> > ... 5 more
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > On Fri, Jul 5, 2013 at 3:27 PM, Balazs
>>>> > Scheidler <bazsi77 at gmail.com> wrote:
>>>> > No, I implemented a different
>>>> > multiline style support first
>>>> > (that is not in pe), where
>>>> > continuation lines are
>>>> > indicated by indentation, like
>>>> > mime.
>>>> >
>>>> > Iirc tomcat has this kind of
>>>> > log file. Can you show a
>>>> > sample log entry?
>>>> >
>>>> > The infrastructure for
>>>> > multiline-prefix is also there
>>>> > but not added yet.
>>>> >
>>>> > Let me see the sample, I'll
>>>> > tell if the current solution
>>>> > works or not.
>>>> >
>>>> > On Jul 5, 2013 8:24 PM,
>>>> > "Satish Patel"
>>>> > <satish.txt at gmail.com> wrote:
>>>> > Thanks for reply
>>>> > Balazs,
>>>> >
>>>> >
>>>> > You mean say this
>>>> > feature is available
>>>> > in Open Source Edition
>>>> > (OSE) 3.4? Once after
>>>> > specifying flag
>>>> > "indented-multi-line"
>>>> > i can use
>>>> > multi-line-prefix?
>>>> >
>>>> >
>>>> >
>>>> > On Fri, Jul 5, 2013 at
>>>> > 1:26 PM, Balazs
>>>> > Scheidler
>>>> > <bazsi77 at gmail.com>
>>>> > wrote:
>>>> > You have found
>>>> > the PE
>>>> > documentation
>>>> > but I have
>>>> > already ported
>>>> > this to the
>>>> > OSE tree and
>>>> > has been
>>>> > released as
>>>> > part of 3.4.
>>>> >
>>>> > You have to
>>>> > specify
>>>> >
>>>> indented-multi-line as a flag to the file source.
>>>> >
>>>> > On Jul 5, 2013
>>>> > 6:28 PM,
>>>> > "Satish Patel"
>>>> > <
>>>> satish.txt at gmail.com> wrote:
>>>> >
>>>> > We
>>>> > have
>>>> > tomcat
>>>> > shop
>>>> > and at
>>>> >
>>>> everyone know tomcat has a java call trace in logs with tab space but
>>>> syslog-ng doesn't know about it and printing lines as a new line. I have
>>>> read here syslog-ng 3.x does support multi-line logs
>>>> http://www.balabit.com/sites/default/files/documents/syslog-ng-pe-4.0-guides/en/syslog-ng-pe-v4.0-guide-admin-en/html/reference_source_syslog.html
>>>> >
>>>> >
>>>> > But
>>>> > does
>>>> > this
>>>> >
>>>> feature available in Open Source syslog-ng? If yes then why its not working
>>>> for me?
>>>> >
>>>> >
>>>> >
>>>> >
>>>> ______________________________________________________________________________
>>>> > Member
>>>> > info:
>>>> >
>>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> >
>>>> Documentation:
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> > FAQ:
>>>> >
>>>> http://www.balabit.com/wiki/syslog-ng-faq
>>>> >
>>>> >
>>>> >
>>>> >
>>>> ______________________________________________________________________________
>>>> > Member info:
>>>> >
>>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> > Documentation:
>>>> >
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> > FAQ:
>>>> >
>>>> http://www.balabit.com/wiki/syslog-ng-faq
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> ______________________________________________________________________________
>>>> > Member info:
>>>> >
>>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> > Documentation:
>>>> >
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> > FAQ:
>>>> >
>>>> http://www.balabit.com/wiki/syslog-ng-faq
>>>> >
>>>> >
>>>> >
>>>> >
>>>> ______________________________________________________________________________
>>>> > Member info:
>>>> >
>>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> > Documentation:
>>>> >
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> > FAQ:
>>>> >
>>>> http://www.balabit.com/wiki/syslog-ng-faq
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> ______________________________________________________________________________
>>>> > Member info:
>>>> >
>>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> > Documentation:
>>>> >
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> > FAQ:
>>>> >
>>>> http://www.balabit.com/wiki/syslog-ng-faq
>>>> >
>>>> >
>>>> >
>>>> >
>>>> ______________________________________________________________________________
>>>> > Member info:
>>>> >
>>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> > Documentation:
>>>> >
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> > FAQ:
>>>> http://www.balabit.com/wiki/syslog-ng-faq
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> ______________________________________________________________________________
>>>> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> > Documentation:
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>> >
>>>>
>>>>
>>>>
>>>>
>>>> ______________________________________________________________________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation:
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>
>>>>
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130711/956a34cd/attachment-0001.htm
More information about the syslog-ng
mailing list