[syslog-ng] Syslog-ng message formating
Jacek Drewniak
jacek.drewniak at oort.in
Tue Aug 18 08:49:16 CEST 2015
It works! Thank You for explaination.
--
*Jacek Drewniak*
R&D
*email*: jacek.drewniak at oort.in
*mobile*: *+**48 696 151 670*
*website*: www.oort.in
AWARDS
Bluetooth Breakthrough Award Finalist
CES 2015 Envisioneering Innovation & Design Award Winner
Tech Trailblazers Awards Winner
Most exciting company at Bluetooth Media Event in New York 2014
Polish Agency for Enterprise Development Award Winner
2015-08-17 11:10 GMT+02:00 PÁSZTOR György <pasztor at linux.gyakg.u-szeged.hu>:
> Hi,
>
> "Jacek Drewniak" <jacek.drewniak at oort.in> írta 2015-08-14 15:44-kor:
> > Thanks for advises.
> >
> > Now my configs:
> > http://pastebin.com/G6S2YV6S
> > http://pastebin.com/wCVc2hqH
>
> As far as I see, you put the flags(syslog-protocol) to the wrong place.
> In the "syslog()" source (even if it's tls), you do not have to specify
> that it is syslog-protocol, since that is the defaults.
> flags(syslog-protocol) is needed only, when you do not have framing.
> But since it's tls, and the other side is a syslog-ng too, It is not needed
> to define flags(syslog-protocol) there too.
> Where you need the flags(syslog-protocol) is the file() source, since if
> you do not define otherwise, the default is that every line is a new
> message. That's why the complete line appears as the "$MESSAGE" part.
>
> So suggested changes:
> * s_hub1 & s_hub2: add flags(syslog-protocol)
> * d_tls: remove flags(syslog-protocol)
> * s_tls: remove flags(syslog-protocol)
>
> > Sending log: http://pastebin.com/Euhp1Lmz
> > Now its is parsed: http://pastebin.com/x46pk4FF
> > So this didn't help.
>
> See above!
>
> > Yes, "[TIMER]" part is also part of the message.
> >
> > @Gyu I don't understand this part about length of message . Do You have
> > link to documentation?
>
> The format/ protocol specification is not part of the syslog-documentation.
> Since it's a protocol, they are defined in RFCs. The ietf syslog protocol
> itself is defined in RFC5424, and the transport related things, eg. the
> framing is defined in RFC5425 and RFC5426.
> However, the new information, which was not clear for me, for the first
> sight: You want to receive ietf syslog protocol from files.
>
> One important notice: Since the source are files, and you want to receive
> syslog-protocol from them, but framing is not possible to define this way,
> you can not have multi-line messages / values in the sdata fields, since
> one line is one message. On udp: One packet is one message, and on tcp/tls
> you can have framing (unless you disable it explicitly by defining
> flags(syslog-protocol) ), as I already referenced the related RFCs about
> that.
>
> Cheers,
> Gyu
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150818/1fd45de1/attachment-0001.htm
More information about the syslog-ng
mailing list