David Lang <[email protected]> schrieb am Di., 8. Mai 2018, 20:09: > On Tue, 8 May 2018, Michael Lopez wrote: > > > Hi David, > > Thanks again for the reply. I'll try to delimit it at the > > file level and see if that works by using ERE. The issue with syslogng > was > > doing it at the file level is the message was already broken by the time > it > > hit the file layer. > > how is the message being generated? > > the API for sending/receiving data via TCP doesn't let you know where the > packet > boundries are as far as I know. >
No, TCP is a stream protocol and there is nothing like a packet in this context. The TCP stack is free to use any frame sizes it likes (see the rfcs for details). Nevertheless, an app can work in the stream as it likes, e.g. try a regex on each byte read. Maybe syslog-ng does that. Jgerhards has implemented a somewhat similar capabiility in imptcp (experimentally): it is the Multiline parameter, see https://www.rsyslog.com/doc/v8-stable/configuration/modules/imptcp.html Rainer > > If all your logs are single lines, then they should work by default. > > If you are trying to send multi-line logs, you have two choices with > rsyslog > > 1. escape the newlines in the middle of the messages before you send them > > 2. use the octet counting mode to send the logs via TCP > > personally, I would use the first method, because there are a lot of > things in > log processing that assume that messages are a single line, and while you > can > use octet counting to make rsyslog handle them, having to fix this in > every tool > you end up using is going to be more of a pain than having the escaped > character > sequence in the middle of your message. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
