[syslog-ng] Flag "no-multiline" not working on Syslog-ng
PÁSZTOR György
pasztor at linux.gyakg.u-szeged.hu
Fri May 8 10:37:12 CEST 2015
Hi,
"Sandor Geller" <sandor.geller at ericsson.com> írta 2015-05-08 09:32-kor:
> Wow, it was really 'low resolution'. Zooming in showed that there isn't
> any kind of UDP packet fragmentation happening (not surprising, the
That's what, why I asked a pcap file.
It would required smaller attached file, and would gave us more info.
I found a new theory, based on: 1 pic ~= 1 Mword
1 pcap ~= 1000 pic!
> kernel would reassembele fragments transparently to syslog-ng) but the
> sender device actually splits the logs into multiple packets so
> syslog-ng does exactly what it should do. Yet another broken syslog
> implementation on Cisco's side :(
As basically all of their syslog implementation.
> I'm not aware of how such logs could get concatenated without writing an
> app which postprocesses the logs.
That's another thing, I asked a pcap file. I gave up.
Maybe there is a chance to do that with some patterndb magic, where we can
"process" and "correlate", etc.
Kind regards,
Gyu
More information about the syslog-ng
mailing list