[syslog-ng] Syslog-ng message formating

PÁSZTOR György pasztor at linux.gyakg.u-szeged.hu
Mon Aug 17 11:10:07 CEST 2015


"Jacek Drewniak" <jacek.drewniak at oort.in> írta 2015-08-14 15:44-kor:
> Thanks for advises.
> Now my configs:
> http://pastebin.com/G6S2YV6S
> http://pastebin.com/wCVc2hqH

As far as I see, you put the flags(syslog-protocol) to the wrong place.
In the "syslog()" source (even if it's tls), you do not have to specify
that it is syslog-protocol, since that is the defaults.
flags(syslog-protocol) is needed only, when you do not have framing.
But since it's tls, and the other side is a syslog-ng too, It is not needed
to define flags(syslog-protocol) there too.
Where you need the flags(syslog-protocol) is the file() source, since if
you do not define otherwise, the default is that every line is a new
message. That's why the complete line appears as the "$MESSAGE" part.

So suggested changes:
* s_hub1 & s_hub2: add flags(syslog-protocol)
* d_tls: remove flags(syslog-protocol)
* s_tls: remove flags(syslog-protocol)

> Sending log: http://pastebin.com/Euhp1Lmz
> Now its is parsed: http://pastebin.com/x46pk4FF
> So this didn't help.

See above!

> Yes,  "[TIMER]" part is also part of the message.
> @Gyu I don't understand this part about length of message . Do You have
> link to documentation?

The format/ protocol specification is not part of the syslog-documentation.
Since it's a protocol, they are defined in RFCs. The ietf syslog protocol
itself is defined in RFC5424, and the transport related things, eg. the
framing is defined in RFC5425 and RFC5426.
However, the new information, which was not clear for me, for the first
sight: You want to receive ietf syslog protocol from files.

One important notice: Since the source are files, and you want to receive
syslog-protocol from them, but framing is not possible to define this way,
you can not have multi-line messages / values in the sdata fields, since
one line is one message. On udp: One packet is one message, and on tcp/tls
you can have framing (unless you disable it explicitly by defining
flags(syslog-protocol) ), as I already referenced the related RFCs about


More information about the syslog-ng mailing list