On 11-07-12 11:31 AM, [email protected] wrote:
>
> most people don't put multi-line messages in syslog :-) technically the
> syslog spec says that a new line starts a new message.
Yeah.
> rsyslog defaults to escaping all control characters, so in a case where
> you do manage to get newlines inside a message, they should be escaped
> to #012 so that everything you send the message to will not break up the
> message.
OK. Fair enough. I just wanted to confirm that the presence of the
"#012" was normal and what most people dealing with multiline messages
are accepting as expected behavior.
'most people' won't expect it, but it is the expected behavior of rsyslog.
I'd be interested in hearing a better way of handling the newlines
> the problem is that you can get _lots_ of messages in a short amount of
> time, and they may not all be related.
That's possible in theory, yes I agree, but keep in mind we are
isolating this problem to the kmesg input for a single machine.
that doesn't really help much. I've seen the system generate a LOT of
messages in a very short amount of time. think hardware failures, or
iptables logs for examples
> also, it's actually pretty
> expensive to lookup the time when you are receiving a message.
Well, in the case of my installation, the kernel includes the timestamp
with the message. Perhaps that would be a requirement of the kmesg
input processor trying to infer multiline messages.
that's a boot or compile time option, whatever is done needs to work with
or without the timestamp.
> even with this being 3-4 messages, it would still be far more coherant
> than all of the lines arriving seprately (especially since separate
> lines may get reordered in transit)
Hrm. Is that advocacy for my thought that those couple of dozen lines
being sent by the kernel as a single message rather than a few dozen?
I'm saying that in the example you gave (where you say all those lines
should be one messaage), I'm saying that making it several messages (with
indented lines being part of the prior message) is still a huge win
compared to stock.
> do you want to make this query, or do you want me to?
Well, you probably have some good will there that will yield you more
attention than I, so if you don't mind, please go ahead. Can you let me
know when you have so I can follow?
I'll try to get this out today sometime.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
