[syslog-ng] 3.2.5 and Multiline(?) messages from Solaris

Jim Hendrick jrhendri at roadrunner.com
Tue May 12 14:36:33 CEST 2015 

    
You hit it I think. The first thing is to capture packets on at least one end to isolate where this is happening. 
Jim


Sent from my Verizon Wireless 4G LTE smartphone

-------- Original message --------
From: Ray Van Dolson <rvandolson at esri.com> 
Date: 05/11/2015  11:42 PM  (GMT-05:00) 
To: syslog-ng at lists.balabit.hu 
Subject: [syslog-ng] 3.2.5 and Multiline(?) messages from Solaris 

Admittedly haven't done enough searching or testing on this, but am
hoping someone might have a quick answer.

Recently moved from the 2.x verions to 3.2.5 (as part of EPEL on
RHEL6).  Have noticed that we're no longer getting the full messages
from some Solaris boxen using the tcp() and udp() source definitions.

Messages like this:

May 10 02:29:30 dev-zfs2 scsi: [ID 365881 kern.info] /pci at 0,0/pci8086,3410 at 9/pci15d9,400 at 0 (mpt_sas0):
May 10 02:29:30 dev-zfs2        Log info 0x31080000 received for target 24.
May 10 02:29:30 dev-zfs2        scsi_status=0x0, ioc_status=0x804b, scsi_state=0x0

Come through looking like this:

May 10 02:29:30 dev-zfs2 scsi: [ID 365881 kern.info] /pci at 0,0/pci8086,3410 at 9/pci15d9,400 at 0 (mpt_sas0):

(Only the initial line)

However, messages like this one:

May  9 04:12:57 dev-zfs2 scsi: [ID 243001 kern.warning] WARNING: /pci at 0,0/pci8086,3410 at 9/pci15d9,400 at 0 (mpt_sas0):
May  9 04:12:57 dev-zfs2        mptsas_handle_event_sync: IOCStatus=0x8000, IOCLogInfo=0x31110610

.. do seem to be coming through "whole" (I do note that the priority
is different in both).

Relevant config items are as follows:

log {
    source(remote);
    filter(syslog);
    destination(hosts_syslog);
};

source remote {
    udp();
    tcp();
    # udp(ip(0.0.0.0) port(514));
    # tcp(ip(0.0.0.0) port(514));
};

destination hosts_syslog {
    file("/logs/hosts/$HOST/$YEAR/$MONTH/syslog.$HOST.$YEAR.$MONTH.log"
        create_dirs(yes));
    pipe("/logs/hosts/everything.fifo");
};

filter syslog {
    (not facility(mail)
    and not filter(f_ucgw)
    and not filter(f_esx));
};

Will try and do some packet captures to confirm Solaris is, in fact,
sending the entire message (I believe it is since this worked on
syslog-ng 2.x).

Thanks,
Ray
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150512/57d91bdf/attachment.htm

More information about the syslog-ng mailing list