[syslog-ng] message loss using multi-line-mode
Patrick Hemmer
syslogng at stormcloud9.net
Mon Mar 28 18:01:09 CEST 2016
I raised issue on an existing bug on the github tracker, but it seems to
have gone unnoticed, so I'm repeating it here to try and get some
attention on the issue.
Using multi-line-mode without the multi-line-suffix option WILL result
in message loss.
When syslog-ng is running in multi-line-mode, it buffers multi-line
messages until it sees the start of a new message. When it sees the
start of a new message, it flushes the buffered message, and puts the
first line of the new message in the buffer. However if syslog-ng shuts
down, or receives a SIGHUP (reload), any lines currently buffered are
discarded. Given that syslog-ng can't stay running forever, and it will
get shut down or SIGHUPd eventually, using this feature will result in
messages getting lost.
The message on the github issue where I brought this up is:
https://github.com/balabit/syslog-ng/issues/140#issuecomment-197673887
-Patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160328/2c8ce0fd/attachment.htm
More information about the syslog-ng
mailing list