[syslog-ng] Syslog messages not stored in separate lines
Balazs Scheidler
bazsi77 at gmail.com
Tue Jan 31 21:18:31 UTC 2023
If there's an initialization error with a config at reloading, syslog-ng
can fall back to the old one. Can this happen? Or two destinations writing
the same file?
If the problem persists, can you create minimal example with complete with
config and sample message that you send and which reproduces the issue?
Thanks
On Tue, Jan 31, 2023, 20:44 Dragan Zecevic <dragan.zecevic at live.com> wrote:
>
> Hi Balazs,
> thank you for your reply.
> Yes, I used config like this for other sources as well and restarted
> syslog-ng service.
> I don't get it why it doesn't work in this case. I was thinking it is up
> to the input.
>
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Balazs Scheidler <bazsi77 at gmail.com>
> *Sent:* Monday, January 30, 2023 6:48 AM
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Syslog messages not stored in separate lines
>
> This would be very strange indeed as the template of your file destination
> includes a newline character at the end of every message, so it should not
> depend on the input.
>
> You sure that this is the destination config that you quote here? Did you
> reload syslog-ng to use that config?
>
> On Sun, Jan 29, 2023, 13:55 Dragan Zecevic <dragan.zecevic at live.com>
> wrote:
>
>
> Hi,
> I am collecting logs from a network device. They configured syslog format
> on their source side to be RFC3164.
>
> On syslog-ng side I am using source and destination like this:
>
> source s_xxx {
> network(
> ip(0.0.0.0)
> transport(tcp)
> port(xxx)
> flags(store-raw-message)
> );
> };
>
>
> destination folder_xxx {
>
> file(
>
> "/xxx/${R_YEAR}${R_MONTH}${R_DAY}/${SOURCEIP}_${HOST}_${R_HOUR}.log"
> template("${RAWMSG}\n")
> );
> };
>
> syslog-ng version 3.34
> CentOS Linux release 7.9.2009
>
> The problem is that syslog messages are stored in raw format but not
> separated in different line. Parity bit of new message starts imidiatelly
> after previous line -without space or enter.
>
> I have the same config for some other hosts and there log files are
> created with separate lines. Vendor says they can't change anything on
> source side.
>
> Do you have any idea what is the cause of this?
>
> Thank you.
>
> Br,
> Dragan
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20230131/b7f02c68/attachment-0001.htm>
More information about the syslog-ng
mailing list