[syslog-ng] Does Syslog-NG Support Multiline Messages

Scheidler, Balázs balazs.scheidler at balabit.com
Sun Mar 26 18:02:30 UTC 2017 

Theres also grouping-by() for your usecase for aggregating multiple
messages into a single one.


On Mar 26, 2017 19:55, "Jim Hendrick" <james.r.hendrick at gmail.com> wrote:

> It does if the source does (check the documentation for file() or syslog()
> options)
>
> I also had a log source that sent related events in separate messages that
> were interleaved with other messages and ended up using the program()
> destination to send the logs to a custom handler I wrote.
>
> Essentially I had multiple "keys" for incoming email messages that tied
> events together like:
> - a single incoming SMTP session (potentially with multiple messages)
> - a single message ID with multiple events about the message (recipients,
> attachments, anti-malware, etc)
> - a single delivery connection (again with multiple messages)
> - a single delivery message ID again with multiple events
>
> The program parsed these in realtime incoming stream, building internal
> data structures (hash of hashes) and when it looked *complete* (including a
> timeout) for a particular thing it would send the data across as JSON to
> the destination (Elasticsearch in this case)
>
> So - long answer to your question - Yes - in a few different ways :-)
>
> Best,
> Jim
>
>
> On Sun, Mar 26, 2017 at 10:02 AM, Traiano Welcome <traiano at gmail.com>
> wrote:
>
>> Hi
>>
>>  Does syslog-ng support multiline log messages?
>>
>> Thanks,
>> Traiano
>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170326/4ae3247b/attachment.html>

More information about the syslog-ng mailing list