[syslog-ng] 3.2.5 and Multiline(?) messages from Solaris

[Ray Van Dolson]

Admittedly haven't done enough searching or testing on this, but am
hoping someone might have a quick answer.

Recently moved from the 2.x verions to 3.2.5 (as part of EPEL on
RHEL6).  Have noticed that we're no longer getting the full messages
from some Solaris boxen using the tcp() and udp() source definitions.

Messages like this:

May 10 02:29:30 dev-zfs2 scsi: [ID 365881 kern.info] /pci at 0,0/pci8086,3410 at 9/pci15d9,400 at 0 (mpt_sas0):
May 10 02:29:30 dev-zfs2        Log info 0x31080000 received for target 24.
May 10 02:29:30 dev-zfs2        scsi_status=0x0, ioc_status=0x804b, scsi_state=0x0

Come through looking like this:

May 10 02:29:30 dev-zfs2 scsi: [ID 365881 kern.info] /pci at 0,0/pci8086,3410 at 9/pci15d9,400 at 0 (mpt_sas0):

(Only the initial line)

However, messages like this one:

May  9 04:12:57 dev-zfs2 scsi: [ID 243001 kern.warning] WARNING: /pci at 0,0/pci8086,3410 at 9/pci15d9,400 at 0 (mpt_sas0):
May  9 04:12:57 dev-zfs2        mptsas_handle_event_sync: IOCStatus=0x8000, IOCLogInfo=0x31110610

.. do seem to be coming through "whole" (I do note that the priority
is different in both).

Relevant config items are as follows:

log {
    source(remote);
    filter(syslog);
    destination(hosts_syslog);
};

source remote {
    udp();
    tcp();
    # udp(ip(0.0.0.0) port(514));
    # tcp(ip(0.0.0.0) port(514));
};

destination hosts_syslog {
    file("/logs/hosts/$HOST/$YEAR/$MONTH/syslog.$HOST.$YEAR.$MONTH.log"
        create_dirs(yes));
    pipe("/logs/hosts/everything.fifo");
};

filter syslog {
    (not facility(mail)
    and not filter(f_ucgw)
    and not filter(f_esx));
};

Will try and do some packet captures to confirm Solaris is, in fact,
sending the entire message (I believe it is since this worked on
syslog-ng 2.x).

Thanks,
Ray