[syslog-ng] Does Syslog-NG Support Multiline Messages
Jim Hendrick
james.r.hendrick at gmail.com
Sun Mar 26 17:55:46 UTC 2017
It does if the source does (check the documentation for file() or syslog()
options)
I also had a log source that sent related events in separate messages that
were interleaved with other messages and ended up using the program()
destination to send the logs to a custom handler I wrote.
Essentially I had multiple "keys" for incoming email messages that tied
events together like:
- a single incoming SMTP session (potentially with multiple messages)
- a single message ID with multiple events about the message (recipients,
attachments, anti-malware, etc)
- a single delivery connection (again with multiple messages)
- a single delivery message ID again with multiple events
The program parsed these in realtime incoming stream, building internal
data structures (hash of hashes) and when it looked *complete* (including a
timeout) for a particular thing it would send the data across as JSON to
the destination (Elasticsearch in this case)
So - long answer to your question - Yes - in a few different ways :-)
Best,
Jim
On Sun, Mar 26, 2017 at 10:02 AM, Traiano Welcome <traiano at gmail.com> wrote:
> Hi
>
> Does syslog-ng support multiline log messages?
>
> Thanks,
> Traiano
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170326/c64ab7c9/attachment.html>
More information about the syslog-ng
mailing list