syslog-ng does intentionally strip out new line characters.
Gmane
From: Balazs Scheidler <bazsi <at> balabit.hu>
Subject: Re: Multi-line Logs
Newsgroups: gmane.comp.syslog-ng
Date: 2008-07-03 09:19:22 GMT (6 weeks, 6 days, 15 hours and 21 minutes ago)
On Thu, 2008-07-03 at 11:17 +0200, Balazs Scheidler wrote:
> On Wed, 2008-07-02 at 18:31 -0400, Enigma wrote:
> > I have a host that sends mult-line messages (embedded newlines, not
> > separate syslog messages) from what I can tell syslog-ng strips out all
> > the newlines and replaces them with a space.
> >
> > Is there anyway to disable or modify (replace them with something else
> > that can be easily s/// in post-processing) this functionality without
> > changing the code and compiling from source?
> >
> > I have been through the syslog-ng manual and asked Mr. Google and I
> > cannot find anything on this topic.
>
> Newlines and stuff are incompatible with TCP transport. If you are using
> UDP, it could work, however as you point out syslog-ng removes all NLs
> from log messages in order not to ruin your logfiles.
>
> With my development snapshot the new syslog-protocol drafts are
> implemented, that too allows embedded NLs.
>
> This crude patch deletes the part that removes NLs from messages:
>
> diff --git a/src/logmsg.c b/src/logmsg.c
> index 139fb3a..adb9f2d 100644
> --- a/src/logmsg.c
> +++ b/src/logmsg.c
> @@ -522,11 +522,6 @@ log_msg_parse(LogMessage *self, gchar *data, gint length, guint flags, regex_t *
> self->stamp.time.tv_sec = now;
> }
>
> - for (oldsrc = src, oldleft = left; oldleft >= 0; oldleft--, oldsrc++)
> - {
> - if (*oldsrc == '\n' || *oldsrc == '\r')
> - *oldsrc = ' ';
> - }
> g_string_assign_len(&self->msg, src, left);
> }
>
>
> I might add something more sophisticated if you or anyone else can help me with finding out a
> good idea how to handle NLs when they are written to logfiles.
>
> E.g. you have a template like this:
>
> template("$DATE $HOST $MSG\n");
>
> If there's an NL in $MSG it'd probably break a lot of log parsers. If syslog-ng would repeat the syslog header
>
sorry, sent too early. Would it be enough if syslog-ng would be capable
of repeating the $DATE $HOST part for each line produced because of NLs
in MSG?
How do you want to use multi-line messages?
--
Bazsi
______________________________________________________________________________
Member info:
https://lists.balabit.hu/mailman/listinfo/syslog-ngDocumentation:
http://www.balabit.com/support/documentation/?product=syslog-ngFAQ:
http://www.campin.net/syslog-ng/faq.html
Print