syslog-ng icon indicating copy to clipboard operation
syslog-ng copied to clipboard
verified publisher icon syslog-ng

Multiline support for network sources

Open ryanfaircloth opened this issue 4 years ago • 1 comments

Description of the problem

for still all too common RFC3164 (not a standard) data sources in particular Citrix Netscaler and VMware support a "continued event concept. add a flag "continued" that will also be compatible with no-parse

Proposed solution

If the event starts with a PRI read event until \n (current) peek 5 bytes into the buffer if the next 5 bytes does not begin a new PRI read until \n repeat until a new pri is found to allow this nonstandard multi-line

`<135> 02/18/2021:23:32:02 GMT xxxxx0 : default SSLVPN Message 805119187 0 : "

post_sta_cgp_processing, Reconnect STA ticket received from STA server = fdffsfsdfsdfsdfsdfsdf

"`

Alternatives

1 Convince vendors to follow standards. 2 Development of a time machine and sending myself back to the beginning of time to enjoy a universe full of people that try to follow standards but in the cold vacum of space I would also die leaving the universe to the exactly zero people that follow standards at all times

Additional context

ryanfaircloth avatar Feb 19 '21 03:02 ryanfaircloth

double \n separated messages will be supported for network sources as well after https://github.com/syslog-ng/syslog-ng/pull/5262 is merged

HofiOne avatar Apr 30 '25 16:04 HofiOne