[syslog-ng] multi-line logs and program/facility filters
Jim Hendrick
james.r.hendrick at gmail.com
Fri Aug 10 14:39:16 UTC 2018
Not sure in this specific case - but I parsed some multi-line logs where
the lines were not consecutive (i.e. related parts could come in anywhere
in the stream) and I had to resort to a program() to handle them.
I wrote something to identify log messages by key "IDs" and store the data
in a hash table until all the parts of the message were received (or a
timer expired) and then sent them along to the SIEM.
Hope that might help.
Jim
On Fri, Aug 10, 2018 at 10:35 AM, Michael Thénault <
michael.thenault at gmail.com> wrote:
> Hello,
>
> I have an Issue with syslog-ng 3.16.1 and multi-line logs.
>
> I try to configure per-application filters using either the program
> name or a facility.
> The applications use the traditional syslog() from syslog.h.
> When an application logs multiple lines, only the first line is filtered.
> Indeed, the program name or facility is only applied to the first line.
>
> Example :
> $ logger -t testprog "line1
> line2
> line3"
>
> $ cat /var/log/messages
> 2018-08-10T16:26:14.000000+02:00 testprog: line1
> 2018-08-10T16:26:14.899505+02:00 line2
> 2018-08-10T16:26:14.899505+02:00 line3
>
> The log source is unix-stream("/dev/log" );
>
> What can I do to fix this ?
>
> Thanks in advance for your help.
>
> Thanks & Regards,
> Michael
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180810/59244497/attachment.html>
More information about the syslog-ng
mailing list