[syslog-ng] Flag "no-multiline" not working on Syslog-ng

Alan Sam samsiu.a at gmail.com
Tue Apr 28 16:51:37 CEST 2015 

Hello community,

I have the following diagram between some PE and Syslog-ng:

Cisco devices -> Syslog-ng (running on Solaris)

Syslog-ng version:
o NTPSYSLOG# syslog-ng -V
o syslog-ng 3.0.4
o Revision: ssh+git://bazsi@git.balabit
//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#1b5d618e301ad94aa20e692ffba16469dece8d10
o Compile-Date: Sep  2 2009 06:15:53
o Enable-Threads: off
o Enable-Debug: off
o Enable-GProf: off
o Enable-Memtrace: off
o Enable-Sun-STREAMS: on
o Enable-Sun-Door: on
o Enable-IPv6: on
o Enable-Spoof-Source: on
o Enable-TCP-Wrapper: off
o Enable-SSL: on
o Enable-SQL: off
o Enable-Linux-Caps: off
o Enable-Pcre: on


One of the cisco devices sends a particular log line that is splited in two
lines (there is a line-break in between):
*Mar 13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1)*
*             received in update for prefix XXXX:XXXX:XXX.XXX.XXX.X/XXX
from X.X.X.X*

When the log reaches the Syslog-ng on Solaris server, it is logged like
this:
*Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS:
Invalid MPLS label (1)*
*Mar 13 10:33:14 PE06PVAL01 1182435:          received in update for prefix
XXXX:XXXX:XXX.XXX.XXX.X/XXX from X.X.X.X*

The log is transfered by UDP from the cisco device to the Solaris server
(where the syslog-ng runs). This is the configuration used in syslog-ng:


*ntpsyslog> more /etc/syslog-ng/syslog-ng.conf*
*@version: 3.0*
*#*
*# syslog-ng configuration file.*
*#*
*# See syslog-ng(8) and syslog-ng.conf(5) for more information.*
*#*


*options {*
*  stats_freq (0);*
*  flush_lines (0);*
*  time_reopen (10);*
*  log_fifo_size (1000);*
*  long_hostnames(off);*
*  use_dns (yes);*
*  use_fqdn (no);*
*  create_dirs (no);*
*  keep_hostname (yes);*
*  perm(0640);*
*};*

*source s_sys { sun-streams ("/dev/log" door("/etc/.syslog_door"));
internal(); udp(flags("no-multi-line")); };*

*destination d_cons { file("/dev/console"); };*
*destination d_mesg { file("/var/adm/messages"); };*
*destination d_mail { file("/var/log/syslog"); };*
*destination d_auth { file("/var/log/authlog"); };*
*destination d_mlop { usertty("operator"); };*
*destination d_mlrt { usertty("root"); };*
*destination d_mlal { usertty("*"); };*
*destination cisco { file("/respaldo/syslog/cisco/cisco.log"); };*
*#----------------------------------------------------------------------*
*#  Forward to a nisip server*
*#*
*destination cnc-cisco     { udp("X.X.X.X" port(X)); };*
*#----------------------------------------------------------------------*

*filter f_filter1   { level(err) or*
*                     (level(notice) and facility (auth, kern)); };*
*filter f_filter2   { level(err) or*
*                     (facility(kern) and level(notice)) or*
*                     (facility(daemon) and level(notice)) or*
*                     (facility(mail) and level(crit)); };*
*filter f_filter3   { level(alert) or*
*                     (facility(kern) and level(err)) or*
*                     (facility(daemon) and level(err)); };*
*filter f_filter4   { level(alert); };*
*filter f_filter5   { level(emerg); };*
*filter f_filter6   { facility(kern) and level(notice); };*
*filter f_filter7   { facility(mail) and level(debug); };*
*#filter f_filter10   { level(alert); };*
*filter f_filter9   { facility(user) and level(alert); };*
*filter f_cisco     { facility(local2); };*



*# Alternativa*
*log { source(s_sys_cisco); filter(f_cisco); destination(cisco); };*
*# Alternativa*


*source s_juniper { file("/respaldo/syslog/juniper/juniper.log"); };*
*destination d_juniper_tcp { tcp("X.X.X.X" port(X)); };*
*filter f_juniper_tcp {not
match("TOPO|/kernel:|snmpd|trace_*|PING_*|BGP_*|bgp_*|repeated|task|task_connect|EVENT|received
iff message|rshd|cron" value("MESSAGE*
*")); };*
*log { source(s_juniper); filter(f_juniper_tcp);
destination(d_juniper_tcp); };*

*source s_cisco { file("/respaldo/syslog/cisco/cisco.log"); };*
*destination d_cisco_tcp { tcp("X.X.X.X" port(X)); };*
*log { source(s_cisco); destination(d_cisco_tcp); };*


*##################################*
*# FWD from Syslog to CNC Cisco*
*##################################*
*source s_cisco { file("/respaldo/syslog/cisco/cisco.log"); };*
*log {source(s_cisco); destination(cnc-cisco); };*
*ntpsyslog>*



I have tried different configurations in order to make the "no-multi-line"
flag work. However, none of them have worked:
destination cisco { file("/respaldo/syslog/cisco/cisco.log"
flags(no-multi-line)); };

source s_sys { sun-streams ("/dev/log" door("/etc/.syslog_door"));
internal(); udp(flags("no-multi-line")); };

If more information is required, please do not hesitate to ask for it.

Thank you beforehand for your help.

Alan Sam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150428/896e4936/attachment.htm

More information about the syslog-ng mailing list